b'   United States Department of Agriculture\n   Office of Inspector General\n\n\n\n\nU.S. Department of Agriculture, Office of the\nChief Information Officer, Fiscal Year 2012\nFederal Information Security Management Act\n\n\n\n\n                                             Audit Report 50501-0003-12\n                                             November 2012\n\x0c                                      U.S. Department of Agriculture, Office of the Chief\n                                            Information Officer, Fiscal Year 2012\n                                        Federal Information Security Management Act\n\nWhat Were OIG\xe2\x80\x99s                                     Audit Report 50501-0003-12\nObjectives\nOur objective was to evaluate\nUSDA\xe2\x80\x99s overall IT security\nprogram, including the\neffectiveness of the\nDepartment\xe2\x80\x99s oversight,           As required by the Federal Information\ncompliance with FISMA, and\neffectiveness of controls over    Security Management Act (FISMA), OIG\nconfiguration management,         reviewed USDA\xe2\x80\x99s ongoing efforts to improve\nincident response, IT training,   its information technology security program\nremote access management,\nidentity and access               and practices, as of FY 2012.\nmanagement, continuous\nmonitoring, contingency\nplanning, contractor systems,     What OIG Found\nand capital planning.\n                                  The Office of Inspector General (OIG) found that, although the\nWhat OIG Reviewed                 Department of Agriculture (USDA) has made improvements in its\n                                  information technology (IT) security over the last decade, many\nThe scope of this audit was       longstanding weaknesses remain. In fiscal years (FY) 2009, 2010,\nDepartmentwide and included       and 2011, OIG made 43 recommendations for improving the overall\nagency IT audit work              security of USDA\xe2\x80\x99s systems, but only 14 of these have been closed.\ncompleted during FY 2012,         OIG has reported many of these remaining recommendations since\nother OIG audits completed        2001, when we first detailed a material weakness in the design and\nthroughout the year, and the      effectiveness of USDA\xe2\x80\x99s overall IT security program.\nresults of reviews performed\nby contract auditors. In total,   In order to mitigate the continuing material weakness, we have\nour FY 2012 audit work            recommended that USDA and its agencies work together to define\ncovered 10 agencies and staff     and accomplish a manageable number of critical objectives before\noffices, operating about 124 of   proceeding to the next set of priorities. Instead, when the Department\nthe Department\xe2\x80\x99s 251 major        received $66 million in increased funding in FY 2010 and 2011, the\nsystems.                          Office of the Chief Information Officer (OCIO) used the money to\n                                  fund 16 separate projects, some of which did not address the\nWhat OIG Recommends               Department\xe2\x80\x99s most critical IT security concerns.\nThe Department should\n                                  Again this year, we continue to report a material weakness in USDA\xe2\x80\x99s\ncomplete actions on the 29\n                                  IT security. The Department has not (1) established a continuous\noutstanding recommendations\n                                  program for monitoring IT security or contractor systems; (2) ensured\nfrom the FY 2009-2011\n                                  that agencies securely configure their computers, as required;\nFISMA audit reports and the\n                                  (3) mandated user multi-factor authentication; (4) consistently\n6 new recommendations\n                                  reported security incidents; (5) implemented a risk-based framework\nincluded in this report.\n                                  for handling security issues; (6) adequately remediated weaknesses;\n                                  (7) implemented adequate contingency policies and procedures; and\n                                  (8) adequately planned for security costs.\n\x0c\x0cUSDA \t                             8\x116\x11\n                                     Office of Inspector General \n\n                                      Washington, D.C. 20250 \n\n\n\n\n\nDATE:               1 5 2012\nJeffrey D. Zients\nDeputy Director for Management\nThe Office of Management and Budget\n725 17th Street, NW\nWashington, D.C. 20503\n\nSUBJECT: \t     U.S. Department of Agriculture, Office of the Chieflnformation Officer,\n               Fiscal Year 2012 Federal Information Security Management Act Report\n               (Audit Report 50501-0003-12)\n\nThis report presents the results of our audits of the Department of Agriculture \' s (USDA) efforts\nto improve the management and security of its information technology (IT) resources. USDA\nand its agencies have taken actions to improve the security over their IT resources; however,\nadditional actions are still needed to establish an effective security program.\n\n\n\n\nPhyllis K. Fong\nInspector General\n\x0c\x0cTable of Contents\n\nFindings and Recommendations.............................................................................1\n   Recommendations.................................................................................................8\n   Background .........................................................................................................10\n   Objectives ............................................................................................................11\nScope and Methodology .........................................................................................12\nAbbreviations .........................................................................................................14\nExhibit A: Office of Management and Budget (OMB)/Department of\nHomeland Security (DHS) Reporting Requirements and U. S. Department of\nAgriculture (USDA) Office of Inspector General (OIG) Position .....................16\nExhibit B: Sampling Methodology and Projections ..........................................49\n\x0c\x0cU.\xc2\xa0S.\xc2\xa0Department\xc2\xa0of\xc2\xa0Agriculture,\xc2\xa0Office\xc2\xa0of\xc2\xa0the\xc2\xa0Chief\xc2\xa0Information\xc2\xa0\nOfficer\xc2\xa0(OCIO),\xc2\xa0Fiscal\xc2\xa0Year\xc2\xa02012\xc2\xa0Federal\xc2\xa0Information\xc2\xa0Security\xc2\xa0\nManagement\xc2\xa0Act\xc2\xa0(FISMA)\xc2\xa0(Audit\xc2\xa0Report\xc2\xa050501-0003-12)\xc2\xa0\n\nFindings and Recommendations\nThis report constitutes the Office of Inspector General\xe2\x80\x99s (OIG) independent evaluation of the\nDepartment of Agriculture\xe2\x80\x99s (USDA) Information Technology (IT) security program and\npractices, as required by the Federal Information Security Management Act (FISMA) of 2002,\nand is based on the questions provided by the Office of Management and Budget\n(OMB)/Department of Homeland Security (DHS). These questions are designed to assess the\nstatus of the Department\xe2\x80\x99s security posture during fiscal year (FY) 2012. The OMB/DHS\nframework requires OIG to audit processes, policies, and procedures that had already been\nimplemented and documented, and were being monitored during FY 2012. While USDA\xe2\x80\x99s\nplanned activities might improve its security posture in the future, we could not evaluate these\ninitiatives as part of our FY 2012 FISMA review because they were not fully operational during\nthe year. However, we did note that during FY 2012, the Office of the Chief Information Officer\n(OCIO) began a reorganization, appointed its first Chief Information Security Officer, and\nelevated the responsibility for policies to the executive level.\n\nUSDA has made improvements in its IT security over the last decade, but many longstanding\nweaknesses remain. In our FISMA audits for FYs 2009, 2010, and 2011, OIG made\n43 recommendations for improving the overall security of USDA\xe2\x80\x99s systems. By the end of\nFY 2012, the Department had remediated and closed only 14 recommendations, leaving 29 to be\naddressed. OIG has reported on many of these remaining recommendations since 2001, when\nwe first detailed material weaknesses in the design and effectiveness of USDA\xe2\x80\x99s overall IT\nsecurity program. The findings in this report continue to be a material IT weakness for the\nDepartment.\n\nUSDA is a large, complex organization that includes 34 separate agencies and staff offices, most\nwith their own IT infrastructure. Since 2009, in order to mitigate continuing material\nweaknesses, we have reported that the Department should concentrate its efforts on a limited\nnumber of priorities, instead of attempting to achieve numerous goals simultaneously in short\ntimeframes. We recommended that USDA and its agencies work together to define and\naccomplish a limited number of critical objectives before proceeding to the next set of priorities.\n\nWhen the Department received $66 million in increased funding in FYs 2010 and 2011, OCIO\nused the money to fund 16 separate projects rather than funding a manageable number of\nprioritized projects.1 When OCIO initially requested the increase in funding from Congress,\nOCIO proposed that these funds be used to bolster three IT security areas: Network Security\nAssessments, Security Tools, and the creation of an Agriculture Security Operations\n\n1\n  Audit 88401-0001-12, Audit of the Office of the Chief Information Officer\xe2\x80\x99s FYs 2010 and 2011 Funding Received\nfor Security Enhancements (August 2012).\n\n\n                                                                      AUDIT REPORT 50501-0003-12              1\n\x0cCenter (ASOC). However, we found that when OCIO received its funding increase for the\nproposed projects, it did not use the money exclusively for the purposes outlined in its\nCongressional request or for projects addressing the Department\xe2\x80\x99s most critical IT security\nconcerns. Network Security Assessments were not completed for all agencies, security tools\nwere not fully implemented and those implemented were not capable of capturing all USDA\nnetwork traffic, and the ASOC is not a 24x7x365 operation.2 Rather, OCIO expended over\n$6.7 million of these funds for an IT intern program, a re-engineered Certification and\nAccreditation (C&A) project, and a governance and risk compliance team. While these three\nprograms may be beneficial in the long run, they did little to further the more pressing objective\nof improving USDA\xe2\x80\x99s IT security. Focusing resources on these three projects may have\ndetracted from other more pressing projects\xe2\x80\x94such as conducting network security\nassessments\xe2\x80\x94that more directly addressed Congress\xe2\x80\x99 and the Department\xe2\x80\x99s IT security\npriorities. In addition, in April 2011, Congress reduced OCIO\xe2\x80\x99s appropriation as part of the\ncontinuing resolution. This caused many of the 16 projects to be severely scaled back and project\ntimelines to be extended further into the future.\n\nWe continue to recommend that USDA undertake a manageable number of its highest priority\nprojects and show measureable progress towards the milestones for each active project. USDA\xe2\x80\x99s\ninability to complete projects in a timely manner continues to hinder its progress towards\nimproving its security posture.\n\nThe following summarizes the key matters discussed in Exhibit A of this report, which contains\nOIG\xe2\x80\x99s responses to the OMB/DHS questions. These questions were defined in OMB\nMemorandum M-12-20, FY 2012 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management (October 2, 2012) and DHS Federal\nInformation Security Memorandum 12-02, FY 2012 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management (February 15, 2012).\n\nTo address the FISMA metrics, OIG reviewed systems and agencies, OIG independent\ncontractor audits, annual agency self-assessments, and various OIG audits throughout the year.3\nSince the scope of each review and audit differed, we could not use every review or audit to\naddress each question.\n\nDuring our review we found that USDA has not established a continuous monitoring program.\nSpecifically, we found that the Department has not established a policy, strategies, or plans for\ncontinuous monitoring. Additionally, we found 25 of 254 systems where ongoing assessments\n\n\n\n2\n  In FY 2010, OCIO informed Congress that it would utilize $12.3 million to establish ASOC, which was to\n\xe2\x80\x9ccoordinate continuous 24x7x365 security operations to defend USDA information, assets, network and systems.\xe2\x80\x9d\nThe term \xe2\x80\x9c24x7x365\xe2\x80\x9d is defined as 24 hours a day, 7 days a week, and 365 days a year.\n3\n  Agency annual self-assessments derive from OMB Circular A-123, which defines Management\xe2\x80\x99s Responsibilities\nfor Internal Control in Federal Agencies (December 21, 2004). The circular requires agency\xe2\x80\x99s management to\nannually provide assurances on internal control in Performance and Accountability Reports. During annual\nassessments, agencies take measures to develop, implement, assess, and report on internal controls, and take action\non needed improvements.\n\n\n2     AUDIT REPORT 50501-0003-12\n\x0cof selected security controls had not been performed in FY 2012.4 As a result, agencies that own\nthese systems cannot ensure that controls remain effective over time, as changes occur in threats,\nmissions, environments of operation, and technologies. In our FY 2010 FISMA report, OIG\nrecommended that the Department develop policies, procedures, strategies, and implementation\nplans for continuous monitoring. The Department concurred and stated it would have a policy,\nprocedures, strategy, and plans in place by September 30, 2011; however, the recommendation\nremains open. OCIO stated that it does not have the resources currently to support this function\nand is waiting for more definite Federal guidance from the National Institute of Standards and\nTechnology (NIST) and other working groups.\n\nThe Department has established, and is maintaining, a security configuration management\nprogram; however, there are opportunities for improvement. Specifically, we found that the\nDepartment has established adequate policy, and has made standard baseline configurations\navailable for all operating systems in use; however, agencies have not followed the policy or\nbaselines when configuring their servers and workstations. Specifically, one agency that OCIO\nis responsible for was not scanning its devices, while another agency was only scanning\n11 percent of its devices. We also found that five of five agencies reviewed did not have a\nprocess for timely remediation of scan result deviations.5 For example, OIG ran a commercially\navailable vulnerability scan tool on 4,372 devices within the Department to verify that\nvulnerabilities were mitigated timely. We found 6,109 high and medium vulnerabilities were\npresent and not corrected; 3,111 of these were over 6 months old. In the FY 2010 FISMA audit,\nOIG recommended the Department ensure scanning for compliance to the baseline\nconfigurations and for vulnerabilities is performed, as required by NIST. This recommendation\nremains open; OCIO has exceeded its estimated implementation date of August 30, 2011. OCIO\nis currently working on deploying a Departmentwide vulnerability scanner.\n\nThe Department has established an identity and access management program that is consistent\nwith FISMA requirements, OMB policy, and applicable NIST guidelines and identifies users and\nnetwork devices. The Department has developed an account and identity management policy\nthat is compliant with NIST standards and has adequately planned for Personal Identification\nVerification (PIV) implementation for logical access, in accordance with Government standards.6\nAdditionally, agencies were able to identify devices, users, and non-users who access their\norganization\xe2\x80\x99s systems and networks. However, our testing identified opportunities for\nimprovement. We found that the Department and two agencies reviewed do not mandate\n\n\n\n4\n  The 254 major applications were reported in the Cyber Security Assessment and Management (CSAM) system as\nof October 2, 2012 at 8:49 a.m.\n5\n  A vulnerability scan is the process of determining the presence of known vulnerabilities by evaluating the target\nsystem over the network. DM 3530-001, USDA Vulnerability Scan Procedures (July 20, 2005), requires that\nvulnerability scans are to be performed on a monthly basis for all existing and new networks, systems, servers, and\ndesktops by duly authorized users in accordance with established procedures.\n6\n  The Executive Branch mandate entitled, Homeland Security Presidential Directive-12 (HSPD-12), originally\nissued in August 2004, requires Federal agencies to develop and deploy for all of their contract personnel and\nemployees a PIV credential, which is used as a standardized, interoperable card capable of being used as employee\nidentification and allows for both physical and information technology system access.\n\n\n                                                                         AUDIT REPORT 50501-0003-12               3\n\x0cmulti-factor authentication, as required.7 In addition, agencies that had implemented multi-factor\nauthentication were using an alternate method, instead of the organization\xe2\x80\x99s PIV card.8 Agencies\nwere reluctant to use the PIV card due to the length of time involved in receiving new or\nreplacement cards. We also found that agencies did not ensure that users are granted access\nbased on need and agencies did not ensure that accounts were terminated or deactivated once\naccess was no longer required. We found 363 separated users in the two agencies that still had\nactive accounts. One agency stated that its goal was to keep the separated employees with active\naccounts to less than 3 percent. Department policy states that accounts should be disabled within\n48 hours of an employee\xe2\x80\x99s separation.\n\nThe Department has established an incident response and reporting program that is consistent\nwith FISMA requirements, OMB policy, and applicable NIST guidelines. Although USDA\xe2\x80\x99s\nincident handling has improved, we continue to find that the Department is not consistently\nfollowing its own policy and procedures in regard to incident response and reporting. OCIO has\nimplemented new procedures that it actually uses daily, but it has not updated its official\ndocumented procedures. Our review of 75 incidents disclosed that 32 incidents were not handled\nin accordance with Departmental procedures.9 Of the 32 incidents identified, USDA did not\nreport 31 of the incidents to United States-Computer Emergency Response Team (US-CERT)\nwithin the required timeframe\xe2\x80\x9418 of these incidents were the result of a lost or stolen device.\nThese incidents were not promptly reported to the Incident Handling Division (IHD). 10\nAdditional testing determined the Department has implemented technical capabilities to allow it\nto correlate incidents across the Department; however, based on the status of the tools deployed,\nas well as the methodologies utilized for deployment, it does not have the ability to correlate\nincidents throughout the entire USDA network infrastructure. Based on testing of USDA\xe2\x80\x99s cloud\nprovider\xe2\x80\x99s traffic, discussions with USDA IT personnel, and our review of the cloud provider\nService Agreement and Incident Plan, we also determined that the Department is not capable of\nmanaging risks in a virtual/cloud environment. USDA lacks the ability to track cloud traffic, the\ncloud service does not have its own Data Loss Prevention (DLP) solution deployed, and the\nservice agreement between USDA and its cloud service provider does not include the appropriate\nprovisions outlining the roles and responsibilities for each party.11\n\n7\n  Dual-factor (or multi-factor) authentication is a security process in which the user provides two means of\nidentification, one of which is typically a physical token, such as a card, and the other of which is typically\nsomething memorized, such as a security code. Departmental Regulation (DR) 3505-003, Access Control Policy\n(August 11, 2009), requires the use of dual or multi-factor authentication.\n8\n  Multi-factor authentication can also utilize a hardware token or virtual token or a smart card (PIV), ("something\nthe user has"), or a thumbprint or iris scanner ("something the user is"). HSPD-12 requires the use of the PIV card.\n9\n  Departmental Standard Operating Procedure (SOP)-ASOC-001, Agriculture Security Operations Center (ASOC)\nComputer Incident Response Team (CIRT), Standard Operating Procedures for Reporting Security and Personally\nIdentifiable Information Incidents (June 9, 2009).\n10\n   The US-CERT provides response support and defense against cyber-attacks for the Federal Civil Executive\nBranch (.gov) and information sharing and collaboration with State and local government, industry, and\ninternational partners. US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the\nDHS. NCSD was established by DHS to serve as the Federal Government\xe2\x80\x99s cornerstone for cyber security\ncoordination and preparedness.\n11\n   DLP is the ability \xe2\x80\x9cto detect inappropriate transport of sensitive information and halt the traffic prior to leaving the\nnetwork. Examples of sensitive content are personal identifiers (e.g. credit card or Social Security numbers) or\ncorporate intellectual property.\xe2\x80\x9d\n\n\n4      AUDIT REPORT 50501-0003-12\n\x0cThe Department does not have a Risk Management Framework (RMF) that is consistent with\nFISMA requirements, OMB policy, and applicable NIST guidelines.12 We continue to find that\nthe RMF required by NIST has not been planned and implemented. According to the\nDepartment, this occurred due to lack of resources for OCIO\xe2\x80\x99s governance team. Agency\nofficials are responsible for ensuring all systems meet Federal and Departmental requirements\nand documenting agency compliance in the CSAM system.13 OCIO is also responsible for\nensuring that agencies are compliant with Federal and Departmental guidance and are reporting\naggregate results during the annual FISMA reporting cycle. NIST transforms the traditional\nAssessment and Authorization (A&A) process into a six-step RMF process.14\n\nThe Department issued a guide that addresses parts of the six-step RMF process. The guide also\nclarifies the steps necessary to complete the A&A process. This process requires agencies to\nsubmit their systems\xe2\x80\x99 A&A packages, and all supporting documents to the Department for an\nin-depth review (i.e., a concurrency review). During this review, USDA ensures that the\ndocumentation prepared to support system accreditation is complete, accurate, reliable, and\nmeets NIST and other mandated standards. Although the process has changed, we continue to\nfind:\n\n     \xc2\xb7   USDA completed its in-depth document reviews and appropriately returned A&A\n         packages to agencies that did not meet NIST requirements. However, we found that\n         improvements are still needed. Specifically, the following A&A documentation did not\n         meet NIST requirements: (1) systems were not properly categorized; (2) system security\n         plan (SSP) controls were not implemented properly and did not sufficiently address each\n         control; and (3) security assessment reports did not include an authorized security\n\n\n\n\n12\n   The RMF is a NIST publication. The publication promulgates a common framework which is intended to\nimprove information security, strengthen risk management, and encourage reciprocity between Federal agencies.\nNIST Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal\nInformation Systems (February 2010), was developed by the Joint Task Force Transformation Initiative Working\nGroup. OMB M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management Act\n(August 23, 2004).\n13\n   CSAM is a comprehensive system developed by the Department of Justice, which can facilitate achieving FISMA\ncompliance. CSAM provides a vehicle for the Department, agencies, system owners, and security staffs to (1)\nmanage their system inventory, interfaces, and related system security threats and risks; (2) enter system security\ndata into a single repository to ensure all system security factors are adequately addressed; (3) prepare annual system\nsecurity documents, such as security plans, risk analyses, and internal security control assessments; and (4) generate\ncustom and pre-defined system security status reports to effectively and efficiently monitor each agency\xe2\x80\x99s security\nposture and FISMA compliance. This includes agency-owned systems as well as those operated by contractors on\nthe agency\xe2\x80\x99s behalf.\n14\n   A&A is the new terminology for the former C&A process mandated by OMB Circular A-130, Appendix III,\nSecurity of Federal Automated Information Resources (November 28, 2000). The process requires that IT system\ncontrols be documented and tested by technical personnel and that the system is granted a formal Authority to\nOperate (ATO) by an agency official.\n\n\n                                                                           AUDIT REPORT 50501-0003-12                5\n\x0c          assessment plan.15 As a result, USDA cannot be assured that all system controls were\n          documented and tested, and that systems were operating at an acceptable level of risk.\n\n     \xc2\xb7    Additionally, we found an OCIO parent system in the development stage with three child\n          systems that were operational with no Authority to Operate (ATO), and another six\n          systems that are operational with no ATO.16 Furthermore, the Department has\n          22 systems with expired ATOs, one system being CSAM, the Department\xe2\x80\x99s system\n          repository. As a result, these systems are operational, but without proper security\n          certification, which leaves the agencies and the Department vulnerable because the\n          systems have not been through proper security testing.\n\nThe Department has established a security training program that is consistent with FISMA\nrequirements, OMB policy, and applicable NIST guidelines. Department policy met all NIST\nrequirements for annual security awareness training.17 However, we identified opportunities for\nimprovement. Specifically, USDA lacks policy and procedures to govern specialized security\n(role-based) training for personnel with significant information security responsibilities. NIST\nstates that before allowing individuals access to the application, all individuals should receive\nspecialized training focused on their responsibilities and the application rules.\n\nThe Department has established a Plan of Action and Milestones (POA&M) program that is\nconsistent with FISMA requirements, OMB policy, and applicable NIST guidelines and tracks\nand monitors known information security weaknesses.18 However, our testing identified some\ndeficiencies. For example, the Department did not have effective policies and procedures for\nreporting IT security deficiencies in CSAM. We found the POA&Ms did not always include all\nknown security weaknesses. For example, the Department failed to create POA&Ms for the\n10 OIG recommendations, based on IT security deficiencies, in the FY 2011 FISMA audit\nreport. These missing POA&Ms occurred because the Department security manual did not\ninclude a policy for establishing a POA&M process for reporting IT security deficiencies and\ntracking the status of remediation efforts. In addition, our review of POA&Ms within CSAM\nfound that agencies were not adequately detailing their plans for remediation and were not\nincluding proper supporting documentation for effective closure. We found 176 of 1,106\nFY 2012 closed POA&Ms had remediation actions that did not sufficiently address the identified\n\n15\n   The SSP is a required A&A document that provides an overview of the security requirements of the system and\ndescribes the controls in place (or planned) for meeting those requirements. The SSP also delineates the\nresponsibilities and expected behavior of all individuals who access the system. NIST SP 800-18, Guide for\nDeveloping Security Plans for Federal Information Systems (February 2006). The results of the security control\nassessment, including recommendations for correcting any weaknesses or deficiencies in the controls, are\ndocumented in the security assessment report (SAR).\n16\n   A parent system owns, manages, and/or controls the child system.\n17\n   NIST SP800-53 Rev. 3, Recommended Security Controls for Federal Information Systems and Organizations\n(August 2009).\n18\n   A POA&M is a tool that identifies tasks needing to be accomplished to assist agencies in identifying, assessing,\nprioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and\nsystems. It details resources required to accomplish the elements of the plan, milestones for meeting the tasks, and\nscheduled completion dates for the milestones. The goal of a POA&M should be to reduce the risk of the weakness\nidentified.\n\n\n6        AUDIT REPORT 50501-0003-12\n\x0cweakness. We also noted that the Department is not tracking and reviewing POA&Ms, as\nrequired by the Department\xe2\x80\x99s SOP.19 Finally, we found that the Department was not completing\nquarterly reviews of closed POA&Ms and was not reviewing all closed audit POA&Ms, as\nrequired.\n\nThe Department has established a remote access program that is consistent with FISMA\nrequirements and OMB policy. However, our testing identified that Departmental policies for\nremote access and teleworking did not meet NIST requirements and the two agencies we\nreviewed stated that they depended on the Departmental policies. In our FY 2010 FISMA report,\nwe recommended that the Department update its policy and procedures to be NIST compliant.\nThis recommendation is still open; OCIO has exceeded its estimated completion date of August\n31, 2011. We also found, or the agencies self-reported, that three out of three agencies\xe2\x80\x99 remote\naccess programs did not protect against unauthorized connections or subversion of authorized\nconnections. The agencies were not reviewing access logs to determine if unauthorized remote\naccess had occurred. The agencies stated that they were reviewing the logs, but were unable to\nprovide any documentation that the review had occurred. USDA requires multi-factor\nauthentication for all remote access (i.e., two means of identification).20 However, we found, or\nthe agencies self-reported, that four of four agencies did not have multi-factor authentication\nproperly implemented. As noted above, agencies are reluctant to use the PIV card, due to the\nlength of time involved for receiving new or replacement cards. Inadequate security controls\nover remote access and teleworking could result in the unauthorized access, use, disclosure,\nmodification, or destruction of information.\n\nThe Department has established an enterprisewide business continuity/disaster recovery program\nthat is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines.\nHowever, our testing identified opportunities for improvement. Specifically, the Department\xe2\x80\x99s\ncontingency policies and procedures did not meet NIST SP 800-53 requirements. We found the\nDepartmental template provided to the agencies for contingency planning purposes did not\ncontain all of NIST\xe2\x80\x99s required elements. In the FY 2010 FISMA report we recommended that\nOCIO update the contingency plan template to meet NIST requirements. This recommendation\nis still open; OCIO has exceeded the estimated completion date of September 30, 2011. The\nDepartment has stated that it has updated the template and it is currently in the approval process.\nWe also found 42 of 247 systems in CSAM that had not completed contingency plan testing or\nupdated documentation in CSAM for FY 2012.21 Agencies stated that this occurred because of a\nlack of proper documentation or inadequate resources.\n\nThe Department does not have a program in place, a documented policy, or fully developed\nprocedures to oversee systems operated on its behalf by contractors or other entities, including\norganization systems and services residing in the cloud. OCIO has had a policy in draft for\n\n19\n   Departmental SOP, Plan of Action and Milestones Management (June 29, 2011).\n20\n   Multi-factor authentication is a security process in which the user provides two means of identification, one of\nwhich is typically a physical token, such as a card, and the other is typically something memorized, such as a\nsecurity code. In this context, the two factors involved are sometimes referred to as \xe2\x80\x9c\xe2\x80\x98something you have\xe2\x80\x99 and\n\xe2\x80\x98something you know.\xe2\x80\x99\xe2\x80\x9d\n21\n   The 247 major applications were reported in CSAM as of October 2, 2012.\n\n\n                                                                           AUDIT REPORT 50501-0003-12                 7\n\x0c2 years and has not yet finalized it. Due to the lack of policies and procedures in the\nDepartment, we found one system was not included in the inventory of contractor systems. In\naddition, FISMA requires USDA to maintain an inventory of its information systems that, among\nother information, identifies interfaces between other agency systems. Specifically, we\nfound eight contractor systems with expired ATOs, four contractor systems with missing\ninterconnection agreements, and five contractor systems with missing authorizing signatures.\nAdditionally, OIG found one vendor-controlled (cloud) system that was in production for\n15 months before NIST-required documentation was in CSAM.\n\nOur testing of USDA\xe2\x80\x99s capital planning process determined the Department has established and\nmaintains a capital planning and investment program for information security. However, testing\ndetermined that USDA does not maintain sufficient documentation to support its annual IT\ninvestment budgetary requests. The agencies stated that they were unaware of the need to retain\nadequate supporting documentation used for the budgeting process.\n\nThe below recommendations are new for FY 2012. Because 29 recommendations from\nFY 2009, FY 2010, and FY 2011 remain without final closure, we have not made any repeat\nrecommendations. If the plans initiated to close out the FY 2009, 2010, and 2011\nrecommendations are no longer achievable, due to budget cuts or other reasons, then OCIO\nneeds to update those closure plans and request a change in management decision, in accordance\nwith Departmental guidance.\n\n\nRecommendations\n1. Modify the service agreement between the Department and the e-mail cloud service provider\nto incorporate appropriate detail, outlining the roles and responsibilities of each party pertaining\nto incident response and reporting. Additionally, the Department should work with the cloud\nprovider to gain visibility into USDA\xe2\x80\x99s e-mail system (i.e., so that the Department can\nview/monitor network traffic in the cloud system).\n\n2. The Department should deploy adequate/appropriate technology on the necessary routers to\ncapture all network traffic.\n\n3. The Department should finalize the deployment of its security tools in order to correlate\nincidents across the network.\n\n4. The Department should verify that all systems have the proper authority to operate prior to\nimplementation.\n\n5. Develop and implement an effective process for making sure interface connections are\ndocumented, and that Interconnections Agreements accurately reflect all connections to the\nsystems. The Department needs to review interfaces during the annual testing processes.\n\n\n\n\n8    AUDIT REPORT 50501-0003-12\n\x0c6. Incorporate a review of line items in the annual Capital Planning cycle to verify that\ninformation security resources requested by the agencies are accompanied by required\nsupporting documentation.\n\n\n\n\n                                                              AUDIT REPORT 50501-0003-12    9\n\x0cBackground & Objectives\nBackground\nImproving the overall management and security of IT resources needs to be a top priority for\nUSDA. Technology enhances users\xe2\x80\x99 ability to share information instantaneously among\ncomputers and networks, but it also makes organizations\xe2\x80\x99 networks and IT resources vulnerable\nto malicious activity and exploitation by internal and external sources. Insiders with malicious\nintent, recreational and institutional hackers, and attacks by foreign intelligence organizations are\na few of the threats to the Department\xe2\x80\x99s critical systems and data.\n\nOn December 17, 2002, the President signed into law the e-Government Act (Public Law\n107-347), which includes Title III, FISMA. FISMA permanently reauthorized the framework\nestablished by the Government Information Security Reform Act (GISRA) of 2000, which\nexpired in November 2002. FISMA continued the annual review and reporting requirements\nintroduced in GISRA, and also included new provisions that further strengthened the security of\nFederal Government data and information systems, such as requiring the development of\nminimum control standards for agencies\xe2\x80\x99 systems. NIST was tasked to work with agencies in\ndeveloping those standards as part of its statutory role in providing technical guidance to Federal\nagencies.\n\nFISMA supplements the information security requirements established in the Computer Security\nAct of 1987, the Paperwork Reduction Act of 1995, and the Clinger-Cohen Act of 1996. FISMA\nconsolidated these separate requirements and guidance into an overall framework for managing\ninformation security. It established new annual reviews, independent evaluations, and reporting\nrequirements to ensure agencies implemented FISMA. It also established how OMB and\nCongress would oversee IT security.\n\nFISMA assigned specific responsibilities to OMB, agency heads, Chief Information Officers\n(CIO), and Inspectors General (IG). In OMB Memorandum M-10-28, OMB transferred portions\nof its responsibilities to DHS. The memorandum clarified that OMB is responsible for\nestablishing and overseeing policies, standards, and guidelines for information security. It\nfurther stated that DHS exercises primary responsibility within the executive branch for the\noperational aspects of Federal agency cybersecurity with respect to the Federal information\nsystems that fall within FISMA. DHS was given broad implementation responsibilities to\ninclude overseeing agencies\xe2\x80\x99 compliance with FISMA and developing analyses for OMB to\nassist in the development of its annual FISMA report.\n\nEach agency must establish a risk-based information security program that ensures information\nsecurity is practiced throughout the lifecycle of each agency\xe2\x80\x99s systems. Specifically, the\nagency\xe2\x80\x99s CIO is required to oversee the program, which must include:\n\n     \xc2\xb7   Periodic risk assessments that consider internal and external threats to the integrity,\n         confidentiality, and availability of systems and data supporting critical operations and\n         assets;\n\n\n10       AUDIT REPORT 50501-0003-12\n\x0c   \xc2\xb7   Development and implementation of risk-based, cost-effective policies and procedures to\n       provide security protections for the agency\xe2\x80\x99s information;\n   \xc2\xb7   Training that covers security responsibilities for information security personnel and\n       security awareness for agency personnel;\n   \xc2\xb7   Periodic management testing and evaluation of the effectiveness of security policies,\n       procedures, controls, and techniques;\n   \xc2\xb7   Processes for identifying and remediating significant security deficiencies;\n   \xc2\xb7   Procedures for detecting, reporting, and responding to security incidents; and\n   \xc2\xb7   Annual program reviews by agency officials.\n\nIn addition to the responsibilities listed above, FISMA requires each agency to have an annual\nindependent evaluation of its information security program and practices, including control\ntesting and a compliance assessment. The evaluations are to be performed by the agency\xe2\x80\x99s IG or\nan independent evaluator, and the results of these evaluations are to be reported to OMB.\n\nObjectives\nThe objective of this audit was to evaluate the status of USDA\xe2\x80\x99s overall IT security program by\nevaluating the:\n\n   \xc2\xb7   Effectiveness of the Department\xe2\x80\x99s oversight of agencies\xe2\x80\x99 IT security programs and\n       compliance with FISMA;\n   \xc2\xb7   Agencies\xe2\x80\x99 systems of internal controls over IT assets;\n   \xc2\xb7   Department\xe2\x80\x99s progress in establishing a Departmentwide security program, which\n       includes effective assessment and authorizations;\n   \xc2\xb7   Agencies\xe2\x80\x99 and the Department\xe2\x80\x99s POA&M consolidation and reporting process; and\n   \xc2\xb7   Effectiveness of controls over configuration management, incident response, IT training,\n       remote access management, identity and access management, continuous monitoring,\n       contingency planning, contractor systems, and capital planning.\n\n\n\n\n                                                           AUDIT REPORT 50501-0003-12        11\n\x0cScope and Methodology\nThe scope of our review was Departmentwide and included agency IT audit work completed\nduring FY 2012. We conducted this audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objectives.\n\nFieldwork for this audit was performed remotely at USDA locations throughout the continental\nUnited States from May 2012 through October 2012. In addition, this report incorporates audits\ndone throughout the year by OIG. Testing was conducted at offices in the Washington, D.C. and\nKansas City, Missouri, areas. Additionally, we included the results of IT control testing and\ncompliance with laws and regulations performed by contract auditors at seven additional USDA\nagencies. In total, our FY 2012 audit work covered 10 agencies and staff offices:\n\n     \xc2\xb7   Agricultural Research Service (ARS),\n     \xc2\xb7   Foreign Agricultural Service (FAS),\n     \xc2\xb7   Federal Crop Insurance Corporation (FCIC),\n     \xc2\xb7   Forest Service (FS),\n     \xc2\xb7   Farm Service Agency (FSA),\n     \xc2\xb7   International Technology Services (ITS),\n     \xc2\xb7   National Information Technology Center (NITC),\n     \xc2\xb7   Natural Resources Conservation Service (NRCS),\n     \xc2\xb7   Office of the Chief Financial Officer (OCFO), and\n     \xc2\xb7   Office of the Chief Information Officer (OCIO).\n\nThese agencies and staff offices operate approximately 124 of the Department\xe2\x80\x99s 251 general\nsupport and major application systems.22\n\nTo accomplish our audit objectives, we performed the following procedures:\n\n     \xc2\xb7   Consolidated the results and issues from our prior IT security audit work and the work\n         contractors performed on our behalf. Contractor audit work consisted primarily of audit\n         procedures found in the U.S. Government Accountability Office\xe2\x80\x99s (GAO) Financial\n         Information System Control Audit Manual;\n     \xc2\xb7   Evaluated the Department\xe2\x80\x99s progress in implementing recommendations to correct\n         material weaknesses identified in prior OIG and GAO audit reports;\n     \xc2\xb7   Gathered the necessary information to address the specific reporting requirements\n         outlined in OMB Memorandum M-12-20, FY 2012 Reporting Instructions for the\n\n\n22\n  The 251 major applications were reported in CSAM as of October 2, 2012 at 6:26 a.m. The total number of\nsystems can vary based upon the date/time the report is run. New systems can be added and old systems retired.\nThe total universe of systems in this report varies because tests were done at different times throughout FY 2012.\n\n\n12       AUDIT REPORT 50501-0003-12\n\x0c       Federal Information Security Management Act and Agency Privacy Management\n       (October 2, 2012);\n   \xc2\xb7   Performed detailed testing specific to FISMA requirements at selected agencies, as\n       detailed in this report; and\n   \xc2\xb7   Performed statistical sampling on testing, where appropriate. Additional sample analysis\n       information is presented in Exhibit B.\n\nTesting results were compared against NIST controls, OMB/DHS guidance, e-Government Act\nrequirements, and Departmental policies and procedures for compliance.\n\n\n\n\n                                                          AUDIT REPORT 50501-0003-12        13\n\x0cAbbreviations\nA&A ............................ Assessment and Authorization\nARS ............................. Agricultural Research Service\nASCO .......................... Agriculture Security Operations Center\nATO ............................ Authority to Operate\nBIA .............................. Business Impact Analysis\nC&A ............................ Certification and Accreditation\nCIO .............................. Chief Information Officer\nCIRT ........................... Computer Incident Response Team\nCISO ........................... Chief Information Security Office\nCPIC ............................ Capital Planning and Investment Control\nCPD\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..Capital Planning Division\nCPO ............................. Cyber Policy Oversight\nCSAM ......................... Cyber Security Assessment and Management\nDHS............................. Department of Homeland Security\nDLP ............................. Data Loss Prevention\nDM .............................. Departmental Manual\nDoD ............................. Department of Defense\nDR ............................... Departmental Regulation\nFAS ............................. Foreign Agricultural Service\nFCIC ............................ Federal Crop Insurance Corporation\nFDCC .......................... Federal Desktop Core Configurations\nFISMA ........................ Federal Information Security Management Act\nFS ................................ Forest Service\nFSA ............................. Farm Service Agency\nFY ............................... Fiscal Year\nGAO ............................ Government Accountability Office\nGISRA......................... Government Information Security Reform Act\nHSPD-12 ..................... Homeland Security Presidential Directive-12\nIG ................................ Inspector General\nIHD ............................. Incident Handling Division\nIP ................................. Internet Protocol\n\n14       AUDIT REPORT 50501-0003-12\n\x0cIT ................................. Information Technology\nITS............................... International Technology Services\nMOU ........................... Memorandum of Understanding\nNCSD .......................... National Cyber Security Division\nNIST ............................ National Institute of Standards and Technology\nNITC ........................... National Information Technology Center\nNRCS .......................... National Resources Conservation Service\nOCFO .......................... Office of the Chief Financial Officer\nOCIO ........................... Office of the Chief Information Officer\nOIG ............................. Office of Inspector General\nOMB ........................... Office of Management and Budget\nPII................................ Personally Identifiable Information\nPIV .............................. Personal Identification Verification\nPOA&M ...................... Plan of Action and Milestone\nRMF ............................ Risk Management Framework\nSAP ............................. Security Assessment Plan\nSAR ............................. Security Assessment Report\nSOP ............................. Standard Operating Procedure\nSP ................................ Special Publication\nSSP .............................. System Security Plan\nTT&E .......................... Test, Training, and Exercise\nUS-CERT .................... US-Computer Emergency Response Team\nUSDA.......................... Department of Agriculture\n\n\n\n\n                                                                          AUDIT REPORT 50501-0003-12   15\n\x0cExhibit A: Office of Management and Budget (OMB)/Department\nof Homeland Security (DHS) Reporting Requirements and U. S.\nDepartment of Agriculture (USDA) Office of Inspector General\n(OIG) Position\nOMB/DHS\xe2\x80\x99 questions are set apart using boldface type in each section. OIG checks items on\nOMB/DHS\xe2\x80\x99 list, boldfacing and underlining the relevant text. We answer direct questions with\neither Yes or No.\n\nThe universe of systems and agencies reviewed varied during each audit or review in this report.\nAs part of FISMA, OIG reviewed systems and agencies, audit work conducted for OIG by\nindependent public accounting firm contractors, annual agency self-assessments, and various\nOIG audits conducted throughout the year.23 Since the scope of each review and audit differed,\nwe could not use every review or audit to answer each question.\n\nThe audit team reviewed all 11 FISMA areas. We incorporated statistical sampling for four\nFISMA areas. Each of the four areas was represented by the relevant universe associated with it.\nThe specific sample designs are summarized in Exhibit B.\n\n\nS1: Continuous Monitoring Management\n\n1.1 Has the Organization established an enterprise-wide continuous monitoring program\nthat assesses the security state of information systems that is consistent with FISMA\nrequirements, OMB policy, and applicable NIST guidelines?- No.\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram include the following attributes:\n\n1.1.1 Documented policies and procedures for continuous monitoring\n(NIST 800-53: CA-7)? - No\n\nThe Department\xe2\x80\x99s continuous monitoring policies and procedures were still in draft as of\nSeptember 30, 2012. In the FY 2009 and 2010 FISMA report, OIG recommended that the\nDepartment develop policies, procedures, strategies, and implementation plans for continuous\nmonitoring. The recommendation is still open and has exceeded the estimated completion date\nof September 30, 2011. OCIO stated that they do not have the resources currently to support this\nfunction and are waiting for more finite Federal guidance from NIST and other working groups.\n\n\n23\n  Agency annual self-assessments are a result of OMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal\nControl (December 21, 2004), which defines management\xe2\x80\x99s responsibility for internal controls in Federal agencies.\nThe Circular requires agencies\xe2\x80\x99 management to annually provide assurances on internal control in its Performance\nand Accountability Report. During the annual assessment, agencies take measures to develop, implement, assess,\nand report on internal control, and to take action on needed improvements.\n\n\n16      AUDIT REPORT 50501-0003-12\n\x0cIn addition, we identified that two out of two agencies reviewed did not have an agency policy in\nplace or the policy was missing NIST-required criteria.24\n\n1.1.2 Documented strategy and plans for continuous monitoring\n(NIST 800-37 Rev 1, Appendix G)? - No\n\nThe Department did not provide a strategy or plan for developing an entity-wide continuous\nmonitoring plan. OIG was provided a draft Continuous Monitoring Concept PowerPoint\npresentation which has yet to be implemented. As noted above, the Department is over 1 year\npast the date these plans and strategies were due to be implemented. Without an entity-wide\ncontinuous monitoring program, the Department cannot effectively detect compliance and\ndetermine if the complete set of planned, required, and deployed security controls for an\ninformation system continue to be effective over time, in light of changes that occur on an\nongoing basis.\n\n1.1.3 Ongoing assessments of security controls (system- specific, hybrid, and common)\nthat have been performed based on the approved continuous monitoring plans\n(NIST 800-53, NIST 800-53A)? - No\n\nWe identified 24 of 254 systems where ongoing assessments of selected security controls had not\nbeen performed in FY 2012.25 The agencies that own these systems cannot ensure that controls\nremain effective over time, as changes occur in threats, missions, environments of operation, and\ntechnologies.\n\nIn the FY 2010 FISMA report, we recommended that the Department develop ongoing\nassessments of selected security controls that agencies have performed, based on the approved\ncontinuous monitoring plans. OCIO has exceeded its estimated completion date of September\n30, 2011.\n\n1.1.4 Provides authorizing officials and other key system officials with security status\nreports covering updates to security plans and security assessment reports, as well as\nPOA&M additions and updates with the frequency defined in the strategy and/or plans\n(NIST 800-53, NIST 800-53A)? - No\n\nWe found that one of two agencies was unable to verify that the required information was\nprovided to the authorizing official or other key system officials.\n\nIn the FY 2010 FISMA report, we recommended that the Department ensure system authorizing\nofficials and other key system officials are provided with security status reports covering updates\nto security plans and security assessment reports, as well as Plan of Action and Milestones\n(POA&M) additions. OCIO has exceeded its estimated completion date of September 30, 2011.\n\n\n24\n   NIST SP800-53 Rev. 3, Recommended Security Controls for Federal Information Systems and Organizations\n(August 2009). CA-7 requires the organization to establish a continuous monitoring strategy and program.\n25\n   The 254 major applications were reported in CSAM as of October 2, 2012 at 8:49 a.m.\n\n\n                                                                  AUDIT REPORT 50501-0003-12               17\n\x0c1.2\xc2\xa0\xc2\xa0\xc2\xa0Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0Organization\xe2\x80\x99s\xc2\xa0\nContinuous Monitoring Management Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\nS2: Configuration Management\n\n2.1 Has the Organization established a security configuration management program that\nis consistent with FISMA requirements, OMB policy, and applicable NIST\nguidelines?- Yes.\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram include the following attributes:\n\n2.1.1 Documented policies and procedures for configuration management? - Yes\n\nNo exception noted. NIST requires that the organization develop formal documented procedures\nto facilitate the implementation of the configuration management policy and associated\nconfiguration management controls.26 OIG found the configuration management program\nincludes adequate documented policies and procedures at both the Department and agency level.\n\n2.1.2 Standard baseline configurations defined? - Yes\n\nNo exception noted. The Department follows the NIST configuration baseline guides. 27\n\n2.1.3 Assessing for compliance with baseline configurations? - No\n\nNIST requires the organization to develop, document, and maintain a current baseline\nconfiguration of the information system. We found that 4 of 13 agencies reviewed did not\nconfigure servers in accordance with the NIST requirements. Specifically, we found that over\n50 percent of the settings on the Windows servers at two agencies were not compliant with the\nbaseline guides provided by NIST. In addition, two other agencies self-reported a deficiency\nwith baseline configurations.\n\nIn the FY 2009 FISMA report, we recommended that the Department implement effective\npolicies and procedures to ensure agencies use required NIST and Departmental configuration\nchecklists and have documented the reasons for those settings not being implemented. OCIO has\nexceeded its estimated completion date of July 30, 2011. Also, in the FY 2010 FISMA report,\nwe recommended that the Department ensure documented configuration management procedures\nare developed and consistently implemented across the Department, including baseline\n\n26\n   NIST SP 800-53, control CM-1 requires that a formal documented configuration management policy and\nprocedures be developed.\n27\n   NIST SP 800-70 Rev. 2, National Checklist Program for IT Products\xe2\x80\x94Guidelines for Checklist Users and\nDevelopers Recommendations (February 2011).\n\n\n18      AUDIT REPORT 50501-0003-12\n\x0cconfigurations for all approved software and hardware. Any changes to the baseline guides\nshould be documented and approved. OCIO has exceeded its estimated completion date of\nSeptember 30, 2011.\n\n2.1.4 Process for timely, as specified in Organization policy or standards, remediation of\nscan result deviations CyberScope - FISMA Reporting? - No\n\nWe found that four of four agencies reviewed did not have a process for timely remediation of\nscan result deviations.28 Specifically, OIG ran a commercially available vulnerability scan tool\non 4,372 devices within the Department to verify that vulnerabilities were managed timely. We\nfound 6,109 high and medium vulnerabilities were present and not corrected; 3,111 of these were\nover 6 months old. As a result, networks and devices within the Department are at increased risk\nof compromise.\n\n2.1.5 For Windows-based components, FDCC/USGCB secure configuration settings\nfully implemented and any deviations from FDCC/USGCB baseline settings fully\ndocumented? - No\n\nNIST requires the organization to establish and document mandatory security configuration\nsettings for information technology products employed within the information system. One such\nrequirement is the Federal Desktop Core Configurations (FDCC) secure configurations for user\nworkstations and laptops.29 We found that two of three agencies reviewed did not fully\nimplement FDCC secure configuration settings and document all deviations from baseline\nsettings. Specifically, in the agencies tested we found a total of 1,175,172 FDCC settings that\nshould have been implemented; however, 455,720 (38 percent) of the settings were not in\ncompliance with FDCC standards. In one agency this was caused by moving to another\nenvironment that took much longer than anticipated. These missing standards make the laptops\nand workstations less secure and users more susceptible to compromise.\n\nIn the FY 2009 FISMA report, OIG recommended the Department complete the FDCC\ndeployment and ensure all FDCC deviations are documented by the agencies. Final action has\nbeen achieved; however, this problem continues to be an issue.\n\n2.1.6 Documented proposed or actual changes to hardware and software\nconfigurations? - No\n\nNIST requires the organization to document approve configuration-controlled changes to the\nsystem. We found 6 of 13 agencies reviewed had changes to hardware and software that were\n\n\n28\n   A vulnerability scan is the process of determining the presence of known vulnerabilities by evaluating the target\nsystem over the network. DM 3530-001, USDA Vulnerability Scan Procedures (July 20, 2005), requires that\nvulnerability scans are to be performed on a monthly basis for all existing and new networks, systems, servers, and\ndesktops by duly authorized users in accordance with established procedures.\n29\n   OMB Memorandum 07-11, Implementation of Commonly Accepted Security Configurations for Windows\nOperating Systems (March 22, 2007), requires agencies to adopt the security configurations developed by NIST, the\nDepartment of Defense (DoD), and the Department of Homeland Security (DHS).\n\n\n                                                                       AUDIT REPORT 50501-0003-12                19\n\x0cnot documented as required. Specifically in one agency, we found 11 of 18 change records had\nno documented approvals as required. As a result, malicious changes could be implemented in\nproduction systems without the knowledge of the approving official.\n\n2.1.7 Process for timely and secure installation of software patches? - No\n\nNIST requires the organization to identify and correct system flaws (known as vendor patches)\nand incorporate flaw remediation into the organizational configuration management\nprocess.30 We found four of four agencies reviewed did not have an implemented process for\ntimely and secure installation of software patches. Specifically, OIG found 397 high and\nmedium vulnerabilities where the corrective action was to apply a vendor issued patch of which\n246 were available for at least 6 months and the agency had not installed it.\n\nIn the FY 2010 FISMA report, OIG recommended that the Department develop automated\nprocedures for the timely and secure installation of software patches. The recommendation is\nstill open and the OCIO has exceeded its estimated completion date of June 15, 2011.\n\n2.1.8 Software assessing (scanning) capabilities are fully implemented\n(NIST 800-53: RA-5, SI-2)? - No\n\nDepartment Manual 3530-001 requires all agencies to establish and implement procedures for\naccomplishing vulnerability scanning of all networks, systems, servers, and desktops for which\nthey have a responsibility. This includes performing monthly scans and remediating\nvulnerabilities found as a result of the scans. We found two of two agencies reviewed did not\nimplement scanning capabilities as required. Specifically, one agency was not scanning devices\nat all, and had not for over 9 months. Another agency only scanned 823 of 7,503 devices\nmonthly. The agency only scanned 11 percent of its devices but reported 100 percent\ncompliance to the Department.\n\nIn the FY 2009 FISMA report, OIG recommended that the Department develop and implement\nan effective monthly FISMA scorecard to be used for agency reporting and Departmental\noversight. We also recommended that USDA ensure that the scorecard includes verifiable items\nsuch as vulnerability scanning, patching, anti-virus reports, and training. Final action has been\nachieved, but this problem continues to be an issue. In the FY 2010 FISMA report, OIG\nrecommended that the Department ensure scanning for compliance to the baseline configurations\nand for vulnerabilities is performed as required by NIST. This recommendation is open and has\nexceeded the estimated completion date of September 30, 2011. OCIO is currently working on\ndeploying a Departmentwide vulnerability scanner. In addition, OIG recommended in the\nFY 2011 FISMA report that the Department develop monitoring procedures to verify that\nmonthly vulnerability scans are completed as required by Departmental guidance. No\nmanagement decision has been reached for this recommendation.\n\n\n30\n  A patch is a small piece of software that is used to correct a problem with a software program or an operating\nsystem. Most major software companies will periodically release patches, usually downloadable from the internet,\nthat correct very specific problems in their software programs.\n\n\n20      AUDIT REPORT 50501-0003-12\n\x0c2.1.9 Configuration-related vulnerabilities, including scan findings, have been remediated\nin a timely manner, as specified in Organization policy or standards.\n(NIST 800-53: CM-4, CM-6, RA-5, SI-2)? - No\n\nNIST requires Federal agencies to establish and document mandatory configuration settings for\ninformation technology products employed within the information system, and implement the\nrecommended configuration settings. OIG found that 5 of 17 agencies reviewed did not\nremediate configuration vulnerabilities. Specifically, we found 2,799 configuration-related\nvulnerabilities on 195 network devices.31 In addition, we found 1,055 configuration-related\nvulnerabilities on 6 websites maintained by the agencies.32 Consequently, the devices and\nwebsites are at risk for compromise.\n\nIn the FY 2011 FISMA report, OIG recommended the Department develop monitoring\nprocedures to verify that all Department and agency network devices are configured in\naccordance with NIST. Management decision has not been reached.\n\n2.1.10 Patch management process is fully developed, as specified in Organization policy or\nstandards. (NIST 800-53: CM -3, SI-2)? - No\n\nNIST requires Federal agencies to incorporate vendor software flaw remediation (patches) into\nthe organizational configuration management process. We found that four of four agencies\nreviewed did not have a fully developed patch management process. Specifically, as noted in\nour response to question 2.1.7, we found 246 high and medium vulnerabilities were present on\nUSDA devices where the patches were available for 6 months or more but the agencies had not\napplied them. As a result, USDA devices are susceptible to compromise.\n\n2.2\xc2\xa0\xc2\xa0\xc2\xa0Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0Organization\xe2\x80\x99s\xc2\xa0\nConfiguration Management Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\nS3: Identity and Access Management\n\n3.1 Has the Organization established an identity and access management program that is\nconsistent with FISMA requirements, OMB policy, and applicable NIST guidelines and\nidentifies users and network devices?- Yes.\n\nBesides the improvement opportunities that have been identified by the OIG, does the\nprogram include the following attributes:\n\n\n31\n   We utilized a commercially available software package designed to test security and configuration policies to\nanalyze agency network devices for compliance with FISMA requirements.\n32\n   We utilized a commercially available software package designed to thoroughly analyze Web applications and\nWeb services (websites) for security vulnerabilities.\n\n\n                                                                        AUDIT REPORT 50501-0003-12                 21\n\x0c3.1.1 Documented policies and procedures for account and identity management\n(NIST 800-53: AC-1)? - Yes\n\nNo exception noted. We found that the Department\'s current policy is substantially compliant\nand agencies\xe2\x80\x99 procedures met NIST SP 800-53.\n\n3.1.2 Identifies all users, including federal employees, contractors, and others who access\nOrganization systems (NIST 800-53, AC-2)? - Yes\n\nNo exception noted. We found that two out of the two agencies reviewed identified all users,\nincluding Federal employees, contractors, and others who access organization systems.\n\n3.1.3 Identifies when special access requirements (e.g., multi- factor authentication) are\nnecessary? - No\n\nCurrently, the Department requires agencies to implement multi-factor authentication for all\nforms of remote access to agency information systems.33 However, we found two out of two\nagencies did not have multi-factor authentication properly implemented.34 One agency stated it\nwas not using the Departmental solution because of the length of time it currently takes for field\nusers to receive their credentials.\n\n3.1.4 If multi-factor authentication is in use, it\xc2\xa0is\xc2\xa0linked\xc2\xa0to\xc2\xa0the\xc2\xa0Organization\xe2\x80\x99s PIV\nprogram where appropriate (NIST 800-53, IA-2)? - No\n\nWe found that two of two agencies reviewed did not use multi-factor authentication linked to the\nDepartment\xe2\x80\x99s Personal Identification Verification (PIV) credentials program.35 In addition, a\ncontractor review found an additional agency that did not use multi-factor authentication that\nwas linked to the PIV credentials program. One agency stated that it was not using it because\nmany of its rural employees had difficulty receiving their PIV cards due to the employees\xe2\x80\x99\nlocation. Inadequate security controls over special access requirements could result in the\nunauthorized access, use, disclosure, modification, or destruction of information.\n\n\n\n\n33\n   Departmental Regulation (DR) 3505-003, Access Control Policy (August 11, 2009). Multi-factor authentication is\na security process in which the user provides two means of identification, one of which is typically a physical token,\nsuch as a card, and the other is typically something memorized, such as a security code. In this context, the two\nfactors involved are sometimes spoken of as \xe2\x80\x9csomething you have\xe2\x80\x9d and \xe2\x80\x9csomething you know.\xe2\x80\x9d\n34\n   Dual-factor authentication is a security process in which the user provides two means of identification, one of\nwhich is typically a physical token, such as a card, and the other of which is typically something memorized, such as\na security code.\n35\n   The Executive Branch mandate entitled \xe2\x80\x9cHomeland Security Presidential Directive 12\xe2\x80\x9d (HSPD-12), originally\nissued in August 2004, requires Federal agencies to develop and deploy for all of their contract personnel and\nemployees a PIV credential which is used as a standardized, interoperable card capable of being used as employee\nidentification and allows for both physical and information technology system access.\n\n\n22      AUDIT REPORT 50501-0003-12\n\x0c3.1.5 Organization has adequately planned for implementation of PIV for logical access in\naccordance with government policies (HSPD 12, FIPS 201, OMB M-05-24, OMB M-07-06,\nOMB M-08-01, OMB M-11-11)? - Yes\n\nNo exception noted. OIG found that all agencies reviewed were able to provide Federal and\nContractor employee HSPD-12 information regarding distribution of PIV cards.\n\n3.1.6 Ensures that the users are granted access based on needs and separation of duties\nprinciples? - No\n\nOIG found that 2 of 17 agencies reviewed did not ensure that users were granted access based on\nneed and separation of duties principles.36 The agencies did not have automated mechanisms to\nenforce privileges or perform periodic reviews of user privileges and could not verify if account\nprivilege reviews were performed by an authorized individual and followup occurred when\nnecessary. As a result, accounts have excessive privileges which may result in the unauthorized\naccess, misuse, disclosure, disruption, modification, or destruction of information.\n\n3.1.7 Identifies devices with IP addresses that are attached to the network and\ndistinguishes these devices from users (For example: IP phones, faxes, printers are\nexamples of devices attached to the network that are distinguishable from desktops, laptops\nor servers that have user accounts)? - Yes\n\nNo exception noted. OIG found that two of two agencies reviewed were able to provide\nevidence that their Identity and Access Management program identified devices with Internet\nProtocol addresses that are attached to the network.\n\n3.1.8 Identifies all User and Non-User Accounts (refers to user accounts that are on a\nsystem. Examples of non-user accounts are accounts such as an IP that is set up for\nprinting. Data user accounts are created to pull generic information from a database or a\nguest/anonymous account for generic login purposes that are not associated with a single\nuser or a specific group of users)? - Yes\n\nNo exception noted. OIG found that all agencies reviewed were able to identify user and non-\nuser accounts.\n\n3.1.9 Ensures that accounts are terminated or deactivated once access is no longer\nrequired? - No\n\nOIG found that 5 of 16 agencies did not ensure that accounts were terminated or deactivated\nonce access was no longer required. We found 363 separated users in two agencies that still had\nactive accounts. One agency stated that its goal was to keep the separated employees with active\naccounts to less than 3 percent. Department policy states that accounts should be disabled within\n\n36\n  Separation of duties is the concept of having more than one person required to complete a task, which helps\nprevent fraud and error. The concept of least privilege states that employees must be able to access only the\ninformation and resources that are necessary to complete their legitimate role or function.\n\n\n                                                                       AUDIT REPORT 50501-0003-12               23\n\x0c48 hours of an employee\xe2\x80\x99s separation. The agencies are not properly terminating users when\naccess is no longer required, which may result in the unauthorized access, misuse, disclosure,\ndisruption, modification, or destruction of information.\n\n3.1.10 Identifies and controls use of shared accounts? - Yes\n\nNo exception noted. OIG determined that all agencies reviewed, identified, and controlled\nshared accounts.\n\n3.2 Please provide any additional information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0Organization\xe2\x80\x99s\xc2\xa0\nIdentity and Access Management Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\nS4: Incident Response and Reporting\n\n4.1 Has the Organization established an incident response and reporting program that is\nconsistent with FISMA requirements, OMB policy, and applicable NIST guidelines?- Yes.\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram include the following attributes:\n\n4.1.1 Documented policies and procedures for detecting, responding to and reporting\nincidents (NIST 800-53: IR-1)? - No\n\nUSDA Incident Handling policies and procedures were unchanged from our findings during the\nFY 2011 FISMA review. During FISMA 2011, we found that the Department policy met all of\nthe NIST requirements.37 However, our review in FY 2011 identified that the day-to-day\nprocedures were not accurately reflected in the documented Agriculture Security Operations\nCenter (ASOC) Standard Operating Procedure (SOP).38 As an example, we determined the SOP\ndid not include the updated versions of incident checklists utilized by the incident response team.\nFY 2012 testing found no changes in the procedures. In addition, we determined that three of\nthe three agencies tested for FISMA or during other audits did not have procedures that were\nfully developed or sufficiently detailed.\n\nIn the FY 2011 FISMA report, OIG recommended that the Department update its incident\nhandling procedures to reflect current practice. No management decision has been reached.\n\n\n\n\n37\n  NIST SP 800-61, Computer Security Incident Handling Guide (March 2008).\n38\n  Departmental SOP-ASOC-001, Agriculture Security Operations Center (ASOC) Computer Incident Response\nTeam (CIRT), SOP for Reporting Security and Personally Identifiable Information Incidents (June 9, 2009).\n\n\n24      AUDIT REPORT 50501-0003-12\n\x0c4.1.2 Comprehensive analysis, validation and documentation of incidents? - No\n\nOur review of incidents found that 32 of 75 were not handled in accordance with Departmental\nprocedures.39 Based on our overall sample results we estimate that 351 incidents (42.6 percent\nof the universe) were not handled in accordance with Departmental procedures.40 Agencies are\nrequired to submit documentation to the Department, detailing the steps taken to close out the\nincident. Specific documents and completed forms are required to be returned to the\nDepartment; however, we found that 4 of the 32 incidents had either incomplete incident\ndocumentation or did not include the required documentation outlined in the procedures. For\nexample, two of the checklists did not complete the Personally Identifiable Information (PII)\nchecklist required.41\n\n4.1.3 When applicable, reports to US-CERT within established timeframes\n(NIST 800-53, 800-61, and OMB M-07-16, M-06-19)? - No\n\nUS-CERT requires USDA to notify them of incidents within specified timeframes, based on the\ncategory of the incident.42 We reviewed a statistical sample of incidents that disclosed USDA\nhad not reported 31 of 75 incidents to US-CERT within the required timeframe, 18 of which\nwere the result of a lost or stolen device that was not promptly reported to OCIO\xe2\x80\x99s Incident\nHandling Division (IHD).43 Based on our overall sample results, we estimate that 340 incidents\n(41.3 percent of the universe), were not reported to US-CERT as required.44 For example,\nUS-CERT requires that lost or stolen equipment incidents be reported within one hour; however,\nwe found that an agency did not report a lost equipment incident to IHD (to forward to\nUS-CERT) for 213 days.45\n\n39\n   We based our sample size on a 30 percent error rate and a desired absolute precision of +/-10 percent, at the\n95 percent confidence level. With these assumptions, we calculated a sample size of 75 incidents for review and\nselected them by choosing a simple random sample. Additional sample design information is presented in\nExhibit B.\n40\n   We are 95 percent confident that between 261 (42.6 percent of the universe) and 441 (53.6 percent\nof the universe) FY12 incidents were not handled in accordance with departmental procedures. Additional sample\ndesign information is presented in Exhibit B.\n41\n   PII is defined as any information which can be used to distinguish or trace an individual\xe2\x80\x99s identity, such as name,\nsocial security number, date and place of birth, mother\xe2\x80\x99s maiden name, biometric records, etc., including any other\npersonal information that is linked or linkable to the individual.\n42\n   The US-CERT provides response support and defense against cyber-attacks for the Federal Civil Executive\nBranch (.gov) and information sharing and collaboration with State and local government, industry, and\ninternational partners. US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the\nDepartment of Homeland Security (DHS). NCSD was established by DHS to serve as the Federal Government\xe2\x80\x99s\ncornerstone for cyber security coordination and preparedness.\n43\n   We based our sample size on a 30 percent error rate and desired absolute precision of +/-10 percent, at the\n95 percent confidence level. With these assumptions, we calculated a sample size of 75 incidents for review and\nselected them by choosing a simple random sample. Additional sample design information is presented in\nExhibit B.\n44\n   We are 95 percent confident that between 251 (30.5 percent of the universe) and 430 (52.2 percent of the\nuniverse) incidents in FY12 were not reported to US-CERT as required. Additional sample design information is\npresented in Exhibit B.\n45\n   Lost equipment is defined as a lost or stolen laptop, smartphone, or other electronic device that is issued to USDA\nemployees for performance of the employees\xe2\x80\x99 day-to-day responsibilities.\n\n\n                                                                         AUDIT REPORT 50501-0003-12               25\n\x0c4.1.4 When applicable, reports to law enforcement within established timeframes\n(SP 800-86)? - Yes\n\nNo exception noted. We determined all incidents were properly reported to law enforcement\nofficials when applicable.\n\n4.1.5 Responds to and resolves incidents in a timely manner, as specified in Organization\npolicy or standards, to minimize further damage. (NIST 800-53, 800-61, and\nOMB M-07-16, M-06-19)? - Yes\n\nNo substantial exception noted. The Departmental procedures require that if an incident is not\nclosed after 30 days, the agency is required to open a POA&M.46 OIG found that 1 of the\n75 incidents was not resolved in a timely manner, and a POA&M was not created as required,\nwhen the incident remained open for more than 30 days. We consider this question to be\nsubstantially met.\n\n4.1.6 Is capable of tracking and managing risks in a virtual/cloud environment, if\napplicable? - No\n\nWe conducted testing to determine if USDA is capable of tracking and managing risks in a\nvirtual/cloud environment. Based on the test traffic we sent to and received from the cloud\nprovider, discussions with USDA IT personnel, and our review of the cloud provider\xe2\x80\x99s Service\nAgreement and Incident Plan, we determined that USDA is not capable of managing risks in a\nvirtual/cloud environment.47 USDA lacks the ability to track cloud traffic, the cloud e-mail\nsolution does not have its own Data Loss Prevention (DLP) solution deployed, and the service\nagreement between the USDA and its cloud service provider does not include the appropriate\ndetail outlining the roles and responsibilities for each party.48 A new Federal initiative requires\nagencies and cloud service providers to stipulate any specific incident reporting requirements,\nincluding who and how to notify the agency.49 USDA\xe2\x80\x99s current cloud service providers are\nrequired to become compliant by June 2014.\n\n\n\n46\n   A POA&M is a tool that identifies tasks needing to be accomplished to assist agencies in identifying, assessing,\nprioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and\nsystems. It details resources required to accomplish the elements of the plan, milestones in meeting the task, and\nscheduled completion dates for the milestones. The goal of a POA&M should be to reduce the risk of the weakness\nidentified.\n47\n   The test traffic generated was an email message that was sent from a USDA cloud based email account to a test\nGoogle email account (Gmail). The e-mail message contained an unencrypted spreadsheet that included 50\nfictitious names, fictitious social security numbers, and fictitious credit card numbers. When the e-mail was sent, it\nwas sent to the Cloud Service Provider through the USDA network and subsequently received by the Gmail account\nfrom the Cloud Service Provider.\n48\n   DLP is the ability \xe2\x80\x9cto detect inappropriate transport of sensitive information. Examples of sensitive content are\npersonal identifiers (e.g. credit card or Social Security numbers) or corporate intellectual property.\xe2\x80\x9d\n49\n   The FedRAMP program supports the U.S. Government\xe2\x80\x99s objective to enable U.S. Federal agencies to use\nmanaged service providers that enable cloud computing capabilities. The program is designed to comply with the\nFederal Information Security Management Act of 2002 (FISMA).\n\n\n26      AUDIT REPORT 50501-0003-12\n\x0cIn the FISMA 2011 report, OIG recommended the Department deploy adequate resources to\nmonitor and configure new security tools and then adequately report and close the related incidents.\nThis recommendation has not reached management decision.\n\n4.1.7 Is capable of correlating incidents? - No\n\nBased on our testing, we determined that, although the Department has the capability to correlate\nincidents for the incident response and reporting within USDA, the current security tools do not\nsee nor capture all network traffic. Additionally, the Department\xe2\x80\x99s correlation tool was not fully\nconfigured and capable of correlating incidents during FY 2012. As noted in an audit during\nFY 2012, USDA purchased security tools in FY 2010 and 2011 without proper planning and\nconfiguration.50\n\n4.1.8 There is sufficient incident monitoring and detection coverage in accordance with\ngovernment policies (NIST 800-53, 800-61, and OMB M-07-16, M-06-19)? - Yes\n\nNo exception noted. Our review of the Department\xe2\x80\x99s incident monitoring and detection coverage\ndetermined the Department has sufficient incident detection and monitoring coverage.\n\n4.2\xc2\xa0\xc2\xa0\xc2\xa0Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0Organization\xe2\x80\x99s\xc2\xa0\nIncident Management Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\nS5: Risk Management\n\n5.1 Has the Organization established a risk management program that is consistent with\nFISMA requirements, OMB policy, and applicable NIST guidelines?- No.\n\nIf yes, besides the improvement opportunities that may have been identified by the OIG,\ndoes the program include the following attributes:\n\n5.1.1 Documented and centrally accessible policies and procedures for risk management,\nincluding descriptions of the roles and responsibilities of participants in this process? - No\n\nThe Department does not have a developed risk management policy. The Department does\nhave procedures that are centrally accessible but are lacking required elements, such as\ndescriptions of roles and responsibilities of participants in the Risk Management Framework\n\n\n\n\n50\n  Audit Report 88401-01-12, Audit of the Office of the Chief Information Officer\'s FYs 2010 and 2011 Funding\nReceived for Security Enhancements (August 2012).\n\n\n                                                                     AUDIT REPORT 50501-0003-12                27\n\x0c(RMF) guide.51 In addition, the Department has not addressed step six of the RMF process\nwhich is monitoring security controls. According to USDA, this occurred due to lack of\nresources for policy development and because the Department is in the process of making\nrevisions and addressing missing requirements and enhancements to the procedures. Without a\npolicy and adequate procedures, the Department does not have a consistent and effective\napproach to risk management that is applied to all risk management processes and procedures.\n\nIn the FISMA 2011 report, OIG recommended the Department develop a risk management\npolicy and associated procedures that fully comply with NIST. Management decision has not\nbeen reached.\n\n5.1.2 Addresses risk from an organization perspective with the development of a\ncomprehensive governance structure and organization-wide risk management strategy as\ndescribed in NIST 800-37, Rev.1? - No\n\nThe Department does not have an organizational-wide risk management strategy developed that\naddresses risk from an organization perspective. According to OCIO officials, funding was\nreduced for the team responsible for the development and implementation of the governance\nproject, which included the RMF strategy.\n\n5.1.3 Addresses risk from a mission and business process perspective and is guided by the\nrisk decisions at the organizational perspective, as described in NIST 800-37, Rev.1? - No\n\nAs noted in questions 5.1.1 and 5.1.2, the Department does not have a policy, adequate\nprocedures, a governance structure, and an organizational risk management strategy. Therefore,\nit has not defined the risks from a mission and business process perspective in order to address\nthem from an organizational perspective.\n\n5.1.4 Addresses risk from an information system perspective and is guided by the risk\ndecisions at the organizational perspective and the mission and business perspective, as\ndescribed in NIST 800-37, Rev. 1? - No\n\nAs noted in questions 5.1.1 and 5.1.2, the Department does not have policies, adequate\nprocedures, a governance structure, and an organizational risk management strategy. Therefore,\nofficials have not defined the information system risks necessary to address them from a mission\nand business perspective.\n\n\n\n\n51\n  USDA Six Step Risk Management Framework Process Guide, dated July 2011. NIST Special Publication\n800-37 revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems\n(February 2010), states that organizational officials must identify the resources necessary to complete the risk\nmanagement tasks described in this publication and ensure that those resources are made available to appropriate\npersonnel.\n\n\n28      AUDIT REPORT 50501-0003-12\n\x0c5.1.5 Categorizes information systems in accordance with government policies? - No\n\nWe generated a report from Cyber Security Assessment and Management (CSAM) which\nidentified the impact level for each of the Department\xe2\x80\x99s systems.52 The report included the\nimpact levels for Confidentiality, Integrity, and Availability, which were categorized as high,\nmoderate, and low. We compared the generated report to the recommendations in NIST and\nfound 18 of 257 systems indicated a lower rating than was recommended without adequate\njustification for the reduction in categorization level.53 Systems were not properly\ncategorized. NIST requires that any adjustments to the recommended impact levels be\ndocumented and include justification for the adjustment.\n\n5.1.6 Selects an appropriately tailored set of baseline security controls? - No\n\nNIST SP 800-53 recommends a set of minimum baseline security controls to be implemented\nbased on a system\xe2\x80\x99s overall categorization. The lower the category, the fewer controls required.\nTherefore, the incorrect categorization noted in 5.1.5 led to inadequate controls being\nimplemented for those 18 systems. NIST SP 800-60 states that an incorrect information system\nimpact analysis can result in the agency either over protecting the information system (thereby\nwasting valuable security resources), or under protecting the information system and placing\nimportant operations and assets at risk.\n\n5.1.7 Implements the tailored set of baseline security controls and describes how the\ncontrols are employed within the information system and its environment of\noperation? - No\n\nAs noted in 5.1.6 the incorrect categorization noted in 5.1.5 led to inadequate controls being\nimplemented for those 18 systems.\n\n5.1.8 Assesses the security controls using appropriate assessment procedures to determine\nthe extent to which the controls are implemented correctly, operating as intended, and\nproducing the desired outcome with respect to meeting the security requirements for the\nsystem? - No\n\nWe found that security controls are not implemented correctly. Specifically, the security\ncontrols were not implemented properly and did not sufficiently address each control. For\nexample, for 6 of 11 systems, the control involving Security Awareness Training was described\n\n52\n   CSAM is a comprehensive system developed by the Department of Justice, which can help in achieving FISMA\ncompliance. CSAM provides a vehicle for the Department, agencies, system owners, and security staffs to (1)\nmanage their system inventory, interfaces, and related system security threats and risks; (2) enter system security\ndata into a single repository to ensure all system security factors are adequately addressed; (3) prepare annual system\nsecurity documents, such as security plans, risk analyses, and internal security control assessments; and (4) generate\ncustom and predefined system security status reports to effectively and efficiently monitor each agency\xe2\x80\x99s security\nposture and FISMA compliance. This includes agency-owned systems or those operated by contractors on the\nagency\xe2\x80\x99s behalf.\n53\n   The 257 major applications were reported in CSAM as of August 8, 2012. NIST SP 800-60, Guide for Mapping\nTypes of Information and Information Systems to Security Categories, Vol. 1 (August 2008).\n\n\n                                                                         AUDIT REPORT 50501-0003-12                29\n\x0cas an inherited control. However, this control could not be inherited because procedures had to\nbe developed by the agencies as required by Departmental policy. Additionally, we found\ncontrols that had not been assessed; and the agencies did not document reasons for the controls\nnot being assessed.\n\n5.1.9 Authorizes information system operation based on a determination of the risk to\norganizational operations and assets, individuals, other organizations, and the Nation\nresulting from the operation of the information system and the decision that this risk is\nacceptable? - No\n\nThe Department does not authorize information system operation based on a determination of the\nrisk to organizational operations and assets. We reviewed the Department\xe2\x80\x99s inventory of\n251 FISMA reportable systems and found a parent system identified as in development, but this\nsystem had three child systems that were operational without Authorities to Operate (ATO).54\nWe found six additional systems that were operational with no ATO.55 Furthermore, the\nDepartment has 22 systems with expired ATOs, one system being CSAM, the Department\xe2\x80\x99s\nsystem repository. This occurred because the Department felt that the systems needed to be\noperational for business needs. As a result, the Department\xe2\x80\x99s organizational operations and\nassets are vulnerable.\n\nIn the FY 2009 FISMA report, OIG recommended that the Department develop and implement\nan effective Certification & Accreditation (C&A) process based on NIST guidance and ensure\nthat all systems have the proper ATO.56 This recommendation reached final action; however, we\nfound that the same issue still exists.\n\n5.1.10 Ensures information security controls are monitored on an ongoing basis including\nassessing control effectiveness, documenting changes to the system or its environment of\noperation, conducting security impact analyses of the associated changes, and reporting the\nsecurity state of the system to designated organizational officials? - No\n\nNIST SP 800-53 states that the organization will assess the security controls in an information\nsystem as part of the testing/evaluation process. However, as noted in 1.1.3, we identified\n25 of 254 systems where ongoing assessments of selected security controls had not been\nperformed in FY 2012.57\n\n\n\n\n54\n   Total number of systems generated out of CSAM as of October 1, 2012.\n55\n   A parent system owns, manages, and/or controls the child system. System inventory as of October 1, 2012.\n56\n   A&A is the new terminology for the former Certification and Accreditation process mandated by OMB Circular\nA-130, Appendix III, Security of Federal Automated Information Resources (November 28, 2000). The process\nrequires that IT system controls be documented and tested by technical personnel and that the system be given\nformal ATO by an agency official.\n57\n   The 254 major applications were reported in CSAM as of October 2, 2012 at 8:49 a.m.\n\n\n30      AUDIT REPORT 50501-0003-12\n\x0c5.1.11 Information system specific risks (tactical), mission/business specific risks and\norganizational level (strategic) risks are communicated to appropriate levels of the\norganization? - No\n\nAs noted in 5.1.1-5.1.4, the Department does not have policies, adequate procedures, a\ngovernance structure, and an organizational risk management strategy with defined risks in\nplace. Therefore, we were unable to determine if the information specific risks were\ncommunicated to appropriate levels of the organization.\n\n5.1.12 Senior Officials are briefed on threat activity on a regular basis by appropriate\npersonnel (e.g., CISO)? - Yes\n\nNo exception noted. The Department briefs appropriate personnel through weekly activity\nreports.\n\n5.1.13 Prescribes the active involvement of information system owners and common\ncontrol providers, chief information officers, senior information security officers,\nauthorizing officials, and other roles as applicable in the ongoing management of\ninformation system-related security risks? - No\n\nAs noted in 5.1.1-5.1.4, the Department does not have a policy, adequate procedures, a\ngovernance structure, or an organizational risk management strategy with defined risks.\nTherefore, we were unable to determine if there is active involvement of information system\nowners and common control providers, chief information officers, senior information security\nofficers, authorizing officials, and other roles as applicable in the ongoing management of\ninformation system-related security risks.\n\n5.1.14 Security authorization package contains system security plan, security assessment\nreport, and POA&M in accordance with government policies (SP 800-18, SP 800-37)? - No\n\nThe System Security Plans (SSP) we reviewed were inadequate and not in accordance with\nGovernment policies.58 We found 11 of 11 SSPs failed to meet the minimum security\nrequirements required by NIST 800-53. Specifically, 6 of 11 of the systems\xe2\x80\x99 security controls\ndid not include sufficient support for implementation. For instance, we found controls that had\nnot been assessed and did not have evidence to support why the controls were not assessed.\n\nThe Department\xe2\x80\x99s Security Assessment Reports (SARs) we reviewed failed to meet the\nminimum security required by NIST SP 800-37.59 Specifically, NIST SP 800-37 requires a\nSecurity Assessment Plan (SAP) to be included with the SAR, which provides the objectives for\n\n58\n   The SSP is a required A&A document that provides an overview of the security requirements of the system and\ndescribes the controls in place (or planned) for meeting those requirements. The SSP also delineates responsibilities\nand expected behavior of all individuals who access the system. NIST SP 800-18, Guide for Developing Security\nPlans for Federal Information Systems (February 2006).\n59\n   The results of the security control assessment, including recommendations for correcting any weaknesses or\ndeficiencies in the controls, are documented in the security assessment report (SAR).\n\n\n                                                                        AUDIT REPORT 50501-0003-12               31\n\x0cthe security control assessment, a detailed roadmap of how to conduct such an assessment, and\nassessment procedures. We found during our review three of the three SAPs that had fully\ncompleted the A&A process had not been approved or authorized. As a result, USDA cannot be\nassured that all system controls had been documented and tested, and that systems were\noperating at an acceptable level of risk.\n\nAs noted in 7.1.6 USDA, POA&Ms did not meet Federal guidelines.\n\n5.1.15 Security authorization package contains Accreditation boundaries for Organization\ninformation systems defined in accordance with government policies? - Yes\n\nNo exception noted. During our review of the security authorization packages (which include\nthe SSP) to verify that system accreditation boundaries were accurately defined in accordance\nwith Government policies, we found that 11 of 11 packages adequately explained the\nsystem boundaries.\n\n5.2 Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0Organization\xe2\x80\x99s\xc2\xa0\nRisk Management Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\nS6: Security Training\n\n6.1 Has the Organization established a security training program that is consistent with\nFISMA requirements, OMB policy, and applicable NIST guidelines?- Yes.\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram include the following attributes:\n\n6.1.1 Documented policies and procedures for security awareness training\n(NIST 800-53: AT-1)? - No\n\nWe determined the Department\xe2\x80\x99s and two of two agencies\xe2\x80\x99 security awareness policies met the\nrequirements outlined in NIST SP 800-53.60 In addition, the Department\xe2\x80\x99s security awareness\ntraining procedures met the requirements of NIST SP 800-53. However, one of the two agencies\nwe reviewed during this audit did not have adequate procedures in place to ensure employees\nand contractors received adequate security awareness training.\n\nIn the FY 2011 FISMA report, OIG recommended that the Department develop monitoring\nprocedures to appropriately report the status of USDA employees being trained to meet their\ninformation security awareness needs. This recommendation reached management decision, but\n\n\n60\n Departmental SOP, Information Security Training, SOP-ISD 022 (October 7, 2008) and Information Security\nAwareness Training, SOP-CPPO-018 (April 21, 2011).\n\n\n32      AUDIT REPORT 50501-0003-12\n\x0chas exceeded the estimated completion date of September 30, 2012.\n\n6.1.2 Documented policies and procedures for specialized training for users with\nsignificant information security responsibilities? - No\n\nThe Department\xe2\x80\x99s policy for specialized security training was not fully developed. In addition,\nthe Department\xe2\x80\x99s specialized security training procedures and the procedures for two of two\nagencies were not fully developed or sufficiently detailed.61 Specifically, we found the\nDepartment\xe2\x80\x99s policy for specialized training did not include a definition of significant\ninformation security responsibilities. The Department\xe2\x80\x99s policy is currently in draft and was not\nreleased as of September 30, 2012. A guidance memo/bulletin was sent to the agencies on how\nto identify employees who need to complete the specialized training. Both agencies reviewed\nare following this memo until the official policy is developed and finalized.\n\nIn the FY 2009 FISMA report, OIG recommended that the Department develop training policies\nand procedures for personnel with significant security responsibilities, to include a Departmental\ndefinition of what constitutes significant security responsibilities. The recommendation is still\nopen; OCIO has exceeded its estimated completion date of September 30, 2011.\n\n6.1.3 Security training content based on the organization and roles, as specified in\nOrganization policy or standards? - Yes\n\nNo exception noted. OIG reviewed the training content for individuals of the two sampled\nagencies with significant information security responsibilities. All 45 reviewed employees had\ntraining that was documented and was appropriate for role-based training.\n\n6.1.4 Identification and tracking of the status of security awareness training for all\npersonnel (including employees, contractors, and other Organization users) with access\nprivileges that require security awareness training? - Yes\n\nNo substantial exception noted. NIST SP 800-53 Rev 3 requires agencies to document and\nmonitor individual information system security training activities and to retain individual\ntraining records. During our review of the two agencies, we found 2 of 9,507 users (less than\n1 percent) with login privileges without evidence that the users had completed the annual\nsecurity awareness training. We considered this to have substantially met the requirements.\n\n\n\n\n61\n   NIST SP 800-53 requires the organization to provide basic security awareness training to all users. Additionally,\nit requires the organization to identify and provide information system managers, system and network\nadministrators, personnel performing independent verification and validation activities, security control assessors,\nand other personnel having access to system-level software with role-based specialized security training related to\ntheir specific roles and responsibilities. The organization is to determine the appropriate content of security training\nand the specific requirements of the organization and the information systems to which personnel have authorized\naccess.\n\n\n                                                                          AUDIT REPORT 50501-0003-12                 33\n\x0cIn the FY 2010 FISMA report, OIG recommended that the Department ensure its training\nrepository is completely populated to ensure all required personnel receive the required training.\nThis recommendation is still open; OCIO has exceeded its estimated completion date of\nAugust 30, 2011.\n\n6.1.5 Identification and tracking of the status of specialized training for all personnel\n(including employees, contractors, and other Organization users) with significant\ninformation security responsibilities that require specialized training? - Yes\n\nNo exception noted. NIST SP 800-53 requires agencies to provide role-based training. Agencies\nare to document and monitor individual information system security training activities and to\nretain individual training records. OIG reviewed the training content for individuals with\nsignificant information security responsibilities of the two sampled agencies. Our testing of\n45 employees with significant security responsibilities found all 45 employees from the\n2 sampled agencies had adequate role-based training to meet NIST requirements and had\ndocumented evidence of specialized training attendance.\n\n6.1.6 Training material for security awareness training contains appropriate content for\nthe Organization (SP 800-50, SP 800-53)? - Yes\n\nNo exception noted. We found that the training material for the security awareness does contain\nthe appropriate content to meet NIST SP 800-53.\n\n6.2 Please provide any additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0Organization\xe2\x80\x99s\xc2\xa0\nSecurity Training Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\nS7: Plan Of Action & Milestones (POA&M)\n\n7.1 Has the Organization established a POA&M program that is consistent with FISMA\nrequirements, OMB policy, and applicable NIST guidelines and tracks and monitors\nknown information security weaknesses?- Yes.\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram include the following attributes:\n\n7.1.1 Documented policies and procedures for managing IT security weaknesses\ndiscovered during security control assessments and requiring remediation? - No\n\nThe Department\xe2\x80\x99s security manual did not include a policy establishing a POA&M process for\nreporting IT security deficiencies and for tracking the status of remediation efforts. The\nDepartment stated that it was in the process of finalizing a draft policy. In addition, the two\nagencies reviewed did not have POA&M policies. Instead, the agencies stated that they followed\nthe Department\xe2\x80\x99s policy; however, the Department had not published an official POA&M policy.\n\n\n34     AUDIT REPORT 50501-0003-12\n\x0cAdditionally, although there were no formal policies, the Department does have established\nprocedures. Our review of the POA&M SOP determined it was updated to include OMB 04-25\noutlined criteria, and that it reflected the current POA&M process.62 However, we found that\nboth of the selected agencies did not have established POA&M procedures for managing IT\nsecurity weaknesses discovered during security control assessments and requiring remediation.\n\nIn the FY 2010 FISMA report, OIG recommended that the Department develop POA&M policy\nand procedures that adhere to Federal requirements. The policy and procedures should include\ndetailed instructions for the use of CSAM, an effective closure review process, and periodic\nreviews of the information in CSAM. Final action was achieved May 30, 2012. However, we\nfound the Department\xe2\x80\x99s POA&M policy is still in draft and not yet finalized.\n\n7.1.2 Tracks, prioritizes and remediates weaknesses? - Yes\n\nNo exception noted. We found the Department\xe2\x80\x99s POA&M program tracks, prioritizes and\nremediates weaknesses. The Department uses CSAM as the central repository for POA&Ms,\nwhich includes tracking weaknesses, identifying priority levels, and housing all supporting\ndocumentation of remediation. The Department holds bi-weekly meetings with each agency to\ndiscuss POA&M status and any outstanding POA&M issues, in order to continually monitor\nagency progress. We found all POA&Ms, as of September 12, 2012, had an identified priority\nlevel. Additionally, we determined that weaknesses were remediated throughout the fiscal year.\n\n7.1.3 Ensures remediation plans are effective for correcting weaknesses? - No\n\nOMB 04-25 specifies that effective remediation of IT security weaknesses is essential to achieve\na mature and sound IT security program, and for securing information and systems. It further\nstates that a milestone should identify specific requirements to correct an identified\nweakness. To test the Department\xe2\x80\x99s remediation effectiveness, we reviewed a statistical sample\nof 69 POA&Ms that were closed during FY 2012, and found 11 were closed without documented\nremediation plans.63 Based on our sample results, we estimate 176 POA&Ms (15.9 percent of\nthe universe) were closed in FY 2012 with remediation actions that did not sufficiently address\nthe identified weaknesses in accordance with Government policies.64 Additionally, of the\nPOA&M closures reviewed by the Department, 17 of 94 closures were not acceptable, due to\ninsufficient documentation to support remediation or the closure procedures were not followed.\n\n\n\n\n62\n   Departmental SOP, Plan of Action and Milestones Management SOP (June 29, 2011).\n63\n   We based our sample size on a 25 percent error rate and desired absolute precision of +/-10 percent, at the\n95 percent confidence level. With these assumptions, we calculated a sample size of 69 POA&Ms for review and\nselected them by choosing a simple random sample. Additional sample design information is presented in\nExhibit B.\n64\n   We are 95 percent confident that between 81 (7.4 percent) and 271 (24.5 percent) of closed POA&Ms in FY12\nhad remediation actions that did not sufficiently address the identified weaknesses in accordance with Government\npolicies. Additional sample design information is presented in Exhibit B.\n\n\n                                                                      AUDIT REPORT 50501-0003-12               35\n\x0cIn the FY 2009 FISMA report, OIG recommended that the Department develop and implement\nan effective process to ensure POA&Ms are entered, tracked, and closed properly. The process\nshould include the required link to budgetary resources. Final action was achieved on\nMay 30, 2012; however, we continue to find that POA&Ms are not being closed properly.\nAdditionally, in order to achieve final action OIG stated that OCIO needed to provide copies of\nthe CSAM User\'s Guide and the POA&M policy. However, we found the Department\xe2\x80\x99s\nPOA&M policy is still in draft and not yet finalized.\n\n7.1.4 Establishes and adheres to milestone remediation dates? - No\n\nWe found that 995 of the 3,606 (28 percent) milestones completed in FY 2012 were not\ncompleted by the planned milestone finish date. We found that milestone dates are being\nestablished but the remediation dates are not always adhered to.\n\n7.1.5 Ensures resources are provided for correcting weaknesses? - No\n\nWe found weaknesses that were not being remediated due to inadequate resources. We\nidentified 228 delayed POA&Ms as of September 12, 2012. We determined 53 of the\n228 POA&Ms were delayed due to inadequate resources for one of the following reasons:\n\n     \xc2\xb7   Funds not allocated or insufficient funding;\n     \xc2\xb7   Personnel shortage; or\n     \xc2\xb7   Assigned funds withdrawn.\n\n7.1.6 POA&Ms include security weaknesses discovered during assessments of security\ncontrols and requiring remediation. (Do not need to include security weakness due to a\nRisk Based Decision to not implement a security control) (OMB M-04-25)? - No\n\nOMB requires agencies to prepare POA&Ms for all programs and systems where an IT security\nweakness has been found.65 The Department\xe2\x80\x99s SOP requires an agency to create a POA&M\nwhen an identified weakness cannot be remediated within 30 days. However, we found\nPOA&Ms had not been created for the 10 FY 2011 FISMA Departmental audit\nrecommendations. Also, an internal control audit identified one agency that was not creating\nPOA&Ms for vulnerabilities identified from scan results.\n\n7.1.7 Costs associated with remediating weaknesses are identified\n(NIST SP 800-53, Rev. 3, Control PM-3 and OMB M-04-25)? - Yes\n\nNo exception noted. OMB requires that POA&Ms include the estimated funding resources\nrequired to resolve the weakness. We found 27 of 532 (5 percent) POA&Ms that did not have\ncosts associated. Because of the significant progress the Department has made (down from\n38 percent in FY 2011) we consider the FY 2012 number to be insignificant.\n\n\n65\n  OMB M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management Act\n(August 23, 2004).\n\n\n36       AUDIT REPORT 50501-0003-12\n\x0c7.1.8 Program officials and contractors report progress on remediation to CIO on a\nregular basis, at least quarterly, and the CIO centrally tracks, maintains, and\nindependently reviews/validates the POA&M activities at least quarterly\n(NIST SP 800-53, Rev. 3, Control CA-5, and OMB M-04-25)? - No\n\nThe Department\xe2\x80\x99s SOP requires that a POA&M closure review be performed at least once per\nquarter. This includes a review of all closed POA&Ms resulting from a GAO or OIG audit. In\naddition, the Department is required to review another 10 percent of non-audit related, closed\nPOA&Ms. We found the required reviews were not being completed by the Department. For\nexample:\n\n       \xc2\xb7   OCIO was not completing a quarterly review of closed POA&Ms as required by its SOP;\n       \xc2\xb7   OIG found that not all closed POA&Ms resulting from a GAO or OIG audit were\n           subjected to the closure review process; and\n       \xc2\xb7   OIG found that the Department had not met the requirement to review a minimum of\n           10 percent of all closed non-audit POA&Ms.\n\nIn the FY 2011 FISMA report, OIG recommended that the Department actively manage the\nPOA&M process, which includes tracking and reviewing POA&Ms in accordance with its recently\nissued SOP. The recommendation has not reached management decision.\n\n7.2\xc2\xa0\xc2\xa0\xc2\xa0Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0Organization\xe2\x80\x99s\xc2\xa0\nPOA&M Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\nS8: Remote Access Management\n\n8.1 Has the Organization established a remote access program that is consistent with\nFISMA requirements, OMB policy, and applicable NIST guidelines?- Yes.\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram include the following attributes:\n\n8.1.1 Documented policies and procedures for authorizing, monitoring, and controlling all\nmethods of remote access (NIST 800-53: AC-1, AC-17)? - No\n\nAlthough the Department has a remote access policy, our testing found it did not meet all NIST\nrequirements. There were two policy areas that were not addressed in the Departmental policy as\noutlined by NIST.66 One area was the administration of remote access servers and the other was\nthe periodic reassessment of the telework device policies. Additionally, we found two of two\nagencies reviewed did not have a remote access policy fully developed. This occurred because\n\n66\n     NIST SP 800-46, Guide to Enterprise Telework and Remote Access Security, Revision 1 (June 2009).\n\n\n                                                                      AUDIT REPORT 50501-0003-12        37\n\x0cthey both depended on the Departmental policy which was not sufficient. As a result,\ninadequate security of remote access could result in the unauthorized access, use, disclosure,\ndisruption, modification, or destruction of information.\n\nIn the FY 2010 FISMA report, we recommended the Department develop a remote access and\ntelework policy and procedures that fully comply with NIST. The recommendation is still open;\nOCIO has exceeded the estimated completion date of August 31, 2011.\n\n8.1.2 Protects against unauthorized connections or subversion of authorized\nconnections? - No\n\nWe found, or the agencies self-reported, that three out of three agencies\xe2\x80\x99 remote access programs\nwere not protected against unauthorized connections or subversion of authorized connections.\nThis occurred because they either relied on their general network access logging to capture\nevents or they had logs and were unable to provide any documentation that log reviews had\noccurred.\n\n8.1.3 Users are uniquely identified and authenticated for all access\n(NIST 800-46, Section 4.2, Section 5.1)? - No\n\nWe found two agencies out of the two reviewed were not using multi-factor authentication for\nremote access as required, which hampers the program from uniquely identifying and\nauthenticating users. This occurred because the Departmental solution had not been\nimplemented and the telework policy was insufficient.\n\n8.1.4 Telecommuting policy is fully developed (NIST 800-46, Section 5.1)? - No\n\nAs reported in item 8.1.1 above, the Department has a remote access (and telework) policy\nbut our testing found it did not meet all NIST requirements. It establishes the telework program\nfor the agency and outlines parts of the program like the types of telework agreements,\neligibility, exclusions, etc. However, the information security section does not provide detailed\npolicy guidance for securing the equipment, work products, and software while\nteleworking. Specifically we found two of the two agencies reviewed did not have a fully\ndeveloped telecommuting policy. This occurred because the agencies depended on the\nDepartmental policy which had deficiencies.\n\nIn the FY 2010 FISMA report, we recommended that the Department develop a remote access\nand telecommuting policy and procedures that fully comply with NIST. The recommendation is\nstill open; OCIO has exceeded its estimated completion date of August 31, 2011.\n\n8.1.5 If applicable, multi-factor authentication is required for remote access\n(NIST 800-46, Section 2.2, Section 3.3)? - No\n\nDR 3505-003 specifies that agencies will implement multi-factor authentication for all forms of\nremote access to agency information systems. We found, or agencies self-reported,\nthat while multi-factor authentication for remote access is required by Departmental policy,\n\n38     AUDIT REPORT 50501-0003-12\n\x0cfour of the four agencies reviewed did not have it properly implemented. This occurred because\nthere are several problems with going exclusively to PIV cards and agencies are using alternative\nsolutions. One issue with the cards is it can take weeks for new employees, or existing\nemployees who lose their cards, to receive a new one.\n\nIn the FY 2010 FISMA report, we recommended the Department complete the Departmental\nprojects that will enforce multi-factor authentication and external media encryption. The\nrecommendation is still open; OCIO has exceeded its estimated completion date of\nSeptember 30, 2011.\n\n8.1.6 Authentication mechanisms meet NIST Special Publication 800-63 guidance on\nremote electronic authentication, including strength mechanisms? - No\n\nIf the Department would require the PIV cards for remote access authentication, it would satisfy\nall the NIST requirements, including strength mechanisms.67 As reported in item 8.1.5 above,\nwe found that while multi-factor authentication for remote access is required by Departmental\npolicy, four agencies of the four reviewed did not properly implement it.\n\n8.1.7 Defines and implements encryption requirements for information transmitted across\npublic networks? - Yes\n\nNo exception noted. We found two of the two agencies reviewed had defined and implemented\nencryption requirements for information transmitted across public networks.\n\n8.1.8 Remote access sessions, in accordance to OMB M-07-16, are timed-out after\n30 minutes of inactivity after which re- authentication are required? - Yes\n\nNo exception noted. We reviewed two agencies\xe2\x80\x99 remote access session time-out settings and\nfound they were compliant with OMB, and timed-out after 30 minutes of inactivity, after which\nre-authentication was required.68\n\n8.1.9 Lost or stolen devices are disabled and appropriately reported\n(NIST 800-46, Section 4.3, US-CERT Incident Reporting Guidelines)? - No\n\nEven though lost and stolen equipment was consistently being processed (wiped and/or\ndisabled), we found that 18 of 20 incidents of lost or stolen remote access devices were not\nreported appropriately within the required timeframe.\n\n8.1.10 Remote access rules of behavior are adequate in accordance with government\npolicies (NIST 800-53, PL-4)? - Yes\n\nNo exception noted. We reviewed two agencies\xe2\x80\x99 rules of behavior agreements, and found they\n\n67\n  NIST SP 800-63, Electronic Authentication Guideline (April 2006).\n68\n  OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information\n(May 22, 2007).\n\n\n                                                                   AUDIT REPORT 50501-0003-12             39\n\x0cwere in accordance with Government policies.\n\n8.1.11 Remote access user agreements are adequate in accordance with government\npolicies (NIST 800-46, Section 5.1, NIST 800-53, PS-6)? - Yes\n\nNo exception noted. We reviewed two agencies\xe2\x80\x99 user access agreements, and found they were in\naccordance with Government policies.\n\n8.2\xc2\xa0\xc2\xa0\xc2\xa0Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0Organization\xe2\x80\x99s\xc2\xa0\nRemote Access Management that was not noted in the questions above.\n\nNo additional information to provide.\n\n\nS9: Contingency Planning\n\n9.1 Has the Organization established an enterprise-wide business continuity/disaster\nrecovery program that is consistent with FISMA requirements, OMB policy, and\napplicable NIST guidelines? Yes.\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram include the following attributes:\n\n9.1.1 Documented business continuity and disaster recovery policy providing the\nauthority and guidance necessary to reduce the impact of a disruptive event or disaster\n(NIST 800-53: CP-1)? - No\n\nNIST SP 800-53 states that the organization should develop, disseminate, and review/update a\nformal, documented contingency planning policy. We found that the Department\xe2\x80\x99s contingency\nplanning policy did not meet these requirements. For example, the policy did not address\nalternate telecommunications providers. This occurred because the Department\xe2\x80\x99s policy has not\nbeen updated with the new NIST elements.\n\nIn the FY 2010 FISMA report, we recommended that the Department ensure that agencies have\ndeveloped effective contingency planning policy and procedures in accordance with NIST. The\npolicy and procedures should address suitable alternate processing sites, backup tape storage\nlocations, and backup testing. OCIO has exceeded its estimated completion date of September\n30, 2011. The Department has stated that it has updated the template and it is currently in the\napproval process. In the FY 2011 FISMA report, OIG recommended that the Department update\nthe contingency plan template to adequately address all NIST 800-34 requirements.69 The\nrecommendation is still open; OCIO has exceeded its estimated completion date of September\n30, 2012. However, OCIO stated that Cyber Policy and Oversight (CPO) are in the process of\ndrafting a new contingency plan policy to comply with NIST requirements and officials stated\n\n\n69\n     NIST SP 800-34, Contingency Planning Guide For Federal Information Systems (May 2010).\n\n\n40        AUDIT REPORT 50501-0003-12\n\x0cthat they are actively working on the template.70\n\n9.1.2 The Organization has performed an overall Business Impact Analysis (BIA)\n(NIST SP 800-34)? - No\n\nNIST SP 800-34 states that conducting the BIA is a key element in a comprehensive information\nsystem contingency planning process. The Department\xe2\x80\x99s guide on developing contingency plans\nrequires that a BIA be completed for each system. We found one of two agencies did not have a\nBIA for any of its systems.\n\n9.1.3 Development and documentation of division, component, and IT infrastructure\nrecovery strategies, plans and procedures (NIST SP 800-34)? - Yes\n\nWe found all contingency plans\xe2\x80\x9418 of 18 from our sampled agencies\xe2\x80\x94had addressed the key\ninformation required by NIST SP 800-34.\n\n9.1.4 Testing of system specific contingency plans? - No\n\nNIST SP 800-53 requires Federal agencies to test and exercise contingency plans for information\nsystems, using organization-defined tests or exercises. This is done to determine the plan\xe2\x80\x99s\neffectiveness, and the organization\xe2\x80\x99s readiness to execute the plan, and initiate corrective actions.\nWe identified 42 of 247 systems for which USDA system contingency plans had not been tested\nor for which documentation had not been updated during FY 2012.71\n\n9.1.5 The documented business continuity and disaster recovery plans are in place and\ncan be implemented when necessary (FCD1, NIST SP 800-34)? - No\n\nNIST SP 800-53 requires the agency to have formal, documented procedures to facilitate the\nimplementation of its contingency planning policy and associated controls. We found that the\ndocumented business continuity and disaster recovery plans were not in place and could not be\nimplemented when necessary. For example, four of eight contingency plans we reviewed had\nnot completed testing or fully developed training plans and exercises. Also, 9 of 58 sampled\nsystems from the Department did not have evidence of effective ongoing testing.72 Based on our\nsample results, we estimate that 32 (15.5 percent of the universe) systems in our universe did not\nhave evidence of ongoing testing.73\n\n\n\n\n70\n   USDA Contingency Plan Template (March 2011).\n71\n   The 247 major applications were reported in CSAM as of October 2, 2012.\n72\n   We selected a simple random sample of 58 contingency plans for review. For a 95 percent confidence level, this\nsample size was adequate for a range of potential outcomes: from a 0 percent exception rate with a 5 percent upper\nlimit to a 30 percent error rate with +/-10 percent precision. Additional sample design information is presented in\nExhibit B.\n73\n   We are 95 percent confident that between 15 (7.4 percent) and 48 systems (23.6 percent) are non-compliant with\nthis criterion. Additional sample design information is presented in Exhibit B.\n\n\n                                                                       AUDIT REPORT 50501-0003-12               41\n\x0c9.1.6 Development and fully implementable of test, training, and exercise (TT&E)\nprograms (FCD1, NIST SP 800-34, NIST 800-53)? - No\n\nNIST SP 800-53 requires Federal agencies to test and exercise contingency plans for information\nsystems, using organization-defined tests or exercises. This is done to determine the plan\xe2\x80\x99s\neffectiveness, and the organization\xe2\x80\x99s readiness to execute the plan and initiate corrective actions.\nHowever, we found that, of the 8 systems from two agencies, 4 had not fully implemented\ntraining, testing, and exercise programs.\n\n9.1.7 Performance of regular ongoing testing or exercising of business continuity/disaster\nrecovery plans to determine effectiveness and to maintain current plans? - No\n\nNIST SP 800-53 requires Federal agencies to test and exercise contingency plans for information\nsystems and to review the contingency plan test/exercise results and initiate corrective actions.\nWe found that one of our selected agencies did not have documented evidence of its contingency\nplan tests. The other agency had 7 of 15 systems with persistent issues that were not being\nremediated from year to year after contingency plan testing.\n\n9.1.8 After-action report that addresses issues identified during contingency/disaster\nrecovery exercises (FCD1, NIST SP 800-34)? - No\n\nNIST SP 800-34 states that all recovery and reconstitution events should be well documented,\nwhich includes actions taken, and problems encountered during recovery and reconstitution\nefforts. An after-action report with lessons learned should be documented and updated. Our\nreview found one of two agencies did not have a record of testing and therefore no after action\nreport.\n\n9.1.9 Systems that have alternate processing sites (FCD1, NIST SP 800-34,\nNIST SP 800-53)? - No\n\nNIST SP 800-53 requires alternate processing sites to be established for information systems in\ncase of a disaster. We sampled 58 systems and found 3 of those systems did not meet the\nrequirement to provide an alternate processing site.74 Based on our sample results, we estimate\nthat 11 systems (5.2 percent of the universe) in our universe did not meet the requirements to\nprovide an alternate processing site.75\n\nIn the FY 2010 FISMA report, we recommended that the Department ensure that all required\ncontingency planning documents are in CSAM, and all required fields are properly populated.\nThis should include recovery strategies, plans, and procedures, as well as testing, training, and\n\n74\n   We selected a simple random sample of 58 contingency plans for review. For a 95 percent confidence level, this\nsample size was adequate for a range of potential outcomes: from a 0 percent exception rate with a 5 percent upper\nlimit to a 30 percent error rate with +/-10 percent precision. Additional sample design information is presented in\nExhibit B.\n75\n   We are 95 percent confident that between 3 (actual found; 1.5% percent of audit) and 21 systems (10.1 percent)\nare non-compliant with this criterion. Additional sample design information is presented in Exhibit B.\n\n\n42      AUDIT REPORT 50501-0003-12\n\x0cexercise results. As part of this recommendation, we also suggested that the Department\nperiodically review CSAM to ensure compliance. OCIO has exceeded its estimated completion\ndate of September 30, 2011.\n\n9.1.10 Alternate processing sites are subject to the same risks as primary sites\n(FCD1, NIST SP 800-34, NIST SP 800-53)? - No\n\nAs noted in 9.1.9, we found 3 of 58 systems did not have alternate processing sites. Based on\nour sample results, we estimate that 11 systems (5.2 percent of the universe) in our universe did\nnot meet the requirements to provide an alternate processing site.76\n\n9.1.11 Backups of information are performed in a timely manner (FCD1, NIST SP 800-34,\nNIST SP 800-53)? - No\n\nNIST SP 800-53 states that the organization should conduct user-level, system-level, and\ninformation system documentation backups. We found 4 of 12 agencies reviewed by OIG,\nindependent contractors, and during annual agency self-assessments had not performed backups\nin a timely manner. For example, three systems from one agency had failed backups. For one of\nthose systems the backup was not completed successfully until three days later and another was\nnot completed at all for the requested date.\n\n9.1.12 Contingency planning that consider supply chain threats? - No\n\nWe found contingency plans in one of two agencies we tested did not consider its supply chain\nthreats. This occurred because Disaster Recovery Plans had not been completed.\n\n9.2\xc2\xa0\xc2\xa0\xc2\xa0Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0Organization\xe2\x80\x99s\xc2\xa0\nContingency Planning Program that was not noted in the questions above.\n\nNo exception noted. OIG was able to observe two different contingency plan table top\nexercises. Both exercises were successful at noting issues that need to be addressed and were\npositive training opportunities for those involved. There were no major issues to\nreport. However, it should be noted that the facilitator for one exercise incorrectly suggested to\nthe participants that live events be recorded and written up in the form of after-action reports so\nthat they did not have to complete contingency plan testing each year. One agency self-reported\nthat it did not meet the NIST requirements to provide initial contingency planning training to\npersonnel; it failed to define the training frequency and to provide refresher training.\n\n\n\n\n76\n  We are 95 percent confident that between 3 (actual found; 1.5% percent of audit) and 21 systems (10.1 percent)\nare non-compliant with this criterion. Additional sample design information is presented in Exhibit B.\n\n\n                                                                      AUDIT REPORT 50501-0003-12               43\n\x0cS10: Contractor Systems\n\n10.1 Has the Organization established a program to oversee systems operated on its behalf\nby contractors or other entities, including Organization systems and services residing in the\ncloud external to the Organization?- No.\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram includes the following attributes:\n\n10.1.1 Documented policies and procedures for information security oversight of systems\noperated\xc2\xa0on\xc2\xa0the\xc2\xa0Organization\xe2\x80\x99s behalf by contractors or other entities, including\nOrganization systems and services residing in public cloud? - No\n\nWe found that the Department has not established a program to oversee systems operated on its\nbehalf by contractors or other entities, including organization systems and services residing in\nthe cloud environment external to the organization. We found that the Department does not have\ndocumented policies relating to this topic.\n\nIn the FY 2010 FISMA report, we recommended that the Department develop policy and\nprocedures for information security oversight of systems operated on the agency\xe2\x80\x99s behalf. These\npolicy and procedures should ensure that an accurate inventory of contractor systems and\nmemoranda of understanding/interconnection service agreements are completed\nperiodically. The recommendation is still open and has exceeded the estimated completion date\nof September 15, 2011. OCIO has had a policy in draft for 2 years and has not yet finalized it.\n\n10.1.2 The Organization obtains sufficient assurance that security controls of such systems\nand services are effectively implemented and comply with Federal and Organization\nguidelines? - No\n\nAs noted in 10.1.3 below, we found operational contractor systems in CSAM that did not have a\ncurrent ATO, did not sufficiently document its interconnections, or did not have a signed SSP.\nBased upon these findings, we determined that the Department\xe2\x80\x99s contractor systems program\nwas not ensuring that security controls of contractor systems and services were effectively\nimplemented and complied with organizational guidelines.\n\n10.1.3 A complete inventory of systems operated on the Organization\xe2\x80\x99s behalf by\ncontractors or other entities, including Organization systems and services residing in public\ncloud? - No\n\nUSDA\xe2\x80\x99s Contractor Systems program does not include a complete inventory of systems operated\non the organization\xe2\x80\x99s behalf by contractors or other entities, including organization systems and\nservices residing in a public cloud. We found one contractor system was not in the Department\xe2\x80\x99s\ninventory, four contractor systems had insufficient interconnection documentation, and one cloud\nsystem was in production for 15 months before being documented in CSAM. We also reviewed\n\n\n\n\n44     AUDIT REPORT 50501-0003-12\n\x0ca random sample of 40 non-contractor systems and found 10 had insufficient interconnection\ndocumentation.77 Based on our sample results, we estimate 57 non-contractor systems\n(25.0 percent of the universe) had insufficient interconnection documentation.78\n\nIn the FY 2010 FISMA report, we recommended that OCIO ensure contractor and non-\ncontractor systems inventory and interfaces are accurate and updates are completed at least\nannually. The recommendation is still open; OCIO has exceeded its estimated completion date\nof September 30, 2011.\n\n10.1.4 The inventory identifies interfaces between these systems and Organization-\noperated systems (NIST 800-53: PM-5)? - No\n\nWe reviewed interconnection documentation for 10 operational and reportable contractor\nsystems in CSAM and found that 4 did not have adequately identified or documented interfaces\nin CSAM.\n\nAs noted in 10.1.3 above, in the FY 2010 FISMA report, we recommended that the Department\nensure contractor and non-contractor systems inventory and interfaces are accurate and updates\nare completed at least annually. The recommendation is still open; OCIO has exceeded its\nestimated completion date of September 30, 2011.\n\nAlso, in the FY 2009 FISMA report, we recommended the Department develop and implement\nan effective process to ensure system interfaces are accounted for in CSAM. The Department\nreached final decision by issuing a CSAM Users Guide and POA&M SOP (CPO-SOP-002).\nBecause these are not policy guidance, we take exception to final action being reached on this\nrecommendation.\n\n10.1.5 The Organization requires appropriate agreements (e.g., MOUs, Interconnection\nSecurity Agreements, contracts, etc.) for interfaces between these systems and those that it\nowns and operates? - No\n\nThe Department\'s Contractor Systems program was not requiring appropriate agreements\n(e.g., MOUs, Interconnection Security Agreements, contracts, etc.) for interfaces between these\nsystems and those that it owns and operates. As noted in 10.1.4 above, we found four contractor\nsystems that did not have adequately identified or documented interfaces in CSAM.\n\n\n\n\n77\n   We based our sample size on a 15 percent error rate and desired absolute precision of +/-10 percent, at the\n95 percent confidence level. With these assumptions, we calculated a sample size of 40 systems for review and\nselected them by choosing a simple random sample. Additional sample design information is presented in\nExhibit B.\n78\n   We are 95% confident that between 28 (12.3 percent) and 85 (37.7 percent) non-contractor systems may have\ninsufficient interconnection documentation in CSAM. Additional sample design information is presented in\nExhibit B.\n\n\n                                                                      AUDIT REPORT 50501-0003-12                 45\n\x0c10.1.6 The inventory of contractor systems is updated at least annually? - No\n\nWe found that the inventory reconciliation had not been performed for 3 years and the\nDepartment did not have documented policies and procedures for oversight of contractor\nsystems.\n\nAs noted in 10.1.3 above, in the FY 2010 FISMA report, we recommended that OCIO ensure\ncontractor and non-contractor systems inventory and interfaces are accurate and updates are\ncompleted at least annually. The recommendation is still open; OCIO has exceeded its estimated\ncompletion date of September 30, 2011.\n\n10.1.7 Systems that are owned or operated by contractors or entities, including\nOrganization systems and services residing in public cloud, are compliant with FISMA\nrequirements, OMB policy, and applicable NIST guidelines? - No\n\nWe found eight contractor systems with expired ATOs, four contractor systems with missing\ninterconnection agreements, and five contractor systems with missing SSP signatures. We also\nfound a cloud system with incomplete documentation and another that was not included in the\nDepartment\xe2\x80\x99s inventory.\n\n10.2\xc2\xa0\xc2\xa0\xc2\xa0Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0Organization\xe2\x80\x99s\xc2\xa0\nContractor Systems Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\nS11: Security Capital Planning\n\n11.1 Has the Organization established a security capital planning and investment\nprogram for information security?- Yes.\n\nBesides the improvement opportunities that may have been identified by the OIG, does the\nprogram include the following attributes:\n\n11.1.1 Documented policies and procedures to address information security in the capital\nplanning and investment control (CPIC) process? - No\n\nWe reviewed Capital Planning policies and procedures at the Departmental and agency levels to\ndetermine if all critical elements were included in the documents. One of seven criteria\nidentified in the OMB A-11 and NIST 800-65 guidance was not included in the Departmental\nManuals. This occurred because the Capital Planning Division (CPD) was not aware the criteria\nneeded to be included in the Departmental policy. As a result, agencies lack formal guidance on\nthe definition of a major information technology investment. The CPD has updated its policy\nguidance to incorporate the regulatory criteria missing; however, as of October 1, 2012, CPD had\nnot implemented the updated policy.\n\nAdditionally, our review of CPIC policy and procedures at the agency level determined that one\n\n46     AUDIT REPORT 50501-0003-12\n\x0cof two agencies was not adhering to the appropriate Departmental policies pertaining to\ninformation technology capital investments.\n\nIn the FY 2011 FISMA report, OIG recommended that the Department update its Capital\nPlanning policies to incorporate a definition of a \xe2\x80\x9cmajor IT investment\xe2\x80\x9d so that agencies have a\ndocumented description to use. The recommendation is still open; OCIO has exceeded its\nestimated completion date of September 30, 2012.\n\n11.1.2 Includes information security requirements as part of the capital planning and\ninvestment process? - No\n\nWe reviewed the Exhibit 53B documentation submitted by USDA and the two selected agencies\nas part of the annual budgeting process.79 Our testing determined USDA\xe2\x80\x99s security capital\nplanning and investment program includes information security requirements as part of the\ncapital planning and investment process; however, detailed testing determined two of the two\nagencies selected for testing could not provide adequate supporting documentation for the\namounts submitted on their annual Exhibit 53B. This occurred because the agencies were\nunaware of the need to retain adequate supporting documentation used for the budgeting process.\nAs a result, USDA lacks justification for the IT security costs portion of its budgetary request.\n\n11.1.3 Establishes a discrete line item for information security in organizational\nprogramming and documentation (NIST 800-53: SA-2)? - No\n\nWe reviewed the Exhibit 53B documentation submitted by USDA and the two selected agencies\nas part of the annual budgeting process. Our testing determined USDA\xe2\x80\x99s security capital\nplanning and investment program establishes a discrete line item for information security in\norganizational programming and documentation based on information submitted on the Exhibit\n53Bs by USDA and agencies selected for testing. However, as noted in 11.1.2, detailed testing\ndetermined two of the two agencies selected could not provide supporting documentation for the\namounts submitted on their annual Exhibit 53B.\n\n11.1.4 Employs a business case/Exhibit 300/Exhibit 53 to record the information security\nresources required (NIST 800-53: PM-3)? - No\n\nWe reviewed a sample of Exhibit 300 documents submitted by agencies within USDA to verify\nthat the Exhibit 300 was accompanied by OMB required supporting documentation.80 Our\ntesting determined that USDA does not consistently employ business cases across Exhibit 300s\nbased on the absence of required documentation for four of the six Exhibit 300s reviewed. As a\nresult, the Major IT investments within USDA lack the required supporting documentation that\noutlines the investments planning, funding, and implementation progress. This occurred because\n\n79\n   Agencies must provide IT Investment information using the Agency IT Investment Portfolio (Exhibits 53A&B),\nGuidance on Exhibit 53 \xe2\x80\x93 Information Technology and E-Government, OMB (2011).\n80\n   Exhibit 300s establishes policy for planning, budgeting, acquisition, and management of major IT capital\ninvestments. OMB, Guidance on Exhibit 300 \xe2\x80\x93 Planning, Budgeting, Acquisition, and Management of IT Capital\nAssets (2011).\n\n\n                                                                    AUDIT REPORT 50501-0003-12             47\n\x0cthe CPD did not require all supporting documentation to be submitted.\n\n11.1.5 Ensures that information security resources are available for expenditure as\nplanned? - No\n\nWe reviewed the Exhibit 53B documentation submitted by USDA and the two selected agencies\nas part of the annual budgeting process. Our testing determined that the Exhibit 53B was\nprepared and submitted; however, as noted in 11.1.2, the agencies could not provide\ndocumentation that supported the amounts included on the Exhibit 53B. We determined the\nagency did not adequately plan when expending IT resources based on the Exhibit 53B because\nsupporting documentation for the amounts was not maintained. This occurred because CPD did\nnot require all supporting documentation to be submitted. As a result, USDA lacks justification\nfor the IT security costs portion of its budgetary request.\n\n11.2\xc2\xa0\xc2\xa0\xc2\xa0Please\xc2\xa0provide\xc2\xa0any\xc2\xa0additional\xc2\xa0information\xc2\xa0on\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0the\xc2\xa0Organization\xe2\x80\x99s\xc2\xa0\nSecurity Capital Planning Program that was not noted in the questions above.\n\nNo additional information to provide.\n\n\n\n\n48     AUDIT REPORT 50501-0003-12\n\x0cExhibit B: Sampling Methodology and Projections\nObjective:\n\nThis sample was designed to support OIG audit number 50501-0003-12. The objective of this\naudit was to evaluate the status of USDA\xe2\x80\x99s overall IT security program, based on the following\noverarching criteria:\n   \xc2\xb7   Effectiveness of the Department\xe2\x80\x99s oversight of agencies\xe2\x80\x99 IT programs, and compliance\n       with FISMA;\n   \xc2\xb7   Agencies\xe2\x80\x99 system of internal controls over IT assets;\n   \xc2\xb7   Department\xe2\x80\x99s progress in establishing a Departmentwide security program, which\n       includes effective assessment and authorization;\n   \xc2\xb7   Agencies\xe2\x80\x99 and Department\xe2\x80\x99s POA&M consolidation and reporting process; and\n   \xc2\xb7   Effectiveness of controls over configuration management, incident response, IT training,\n       remote access management, identity and access management, continuous monitoring,\n       contingency planning, contractor systems, and capital planning.\n\nFISMA Audit Universes and Sample Designs:\n\nFISMA contains multiple areas, pertaining to various areas of IT security. Statistical sampling\nwas incorporated in four FISMA areas, and each of the four areas was represented by a different\nuniverse. The specific designs are summarized below for each of the four audit areas.\n\n1. Incident Response and Reporting\n\nUniverse:\n\nThe audit universe consisted of 823 incidents reported for FY 2012, as of April 3, 2012. Each\nincident had a unique identifier (incident number) and was categorized based on incident type\ninto 1 of 8 categories. A listing and counts of the different categories are presented in the sample\ndesign section below.\n\nSample Design:\n\nEach category has specific procedures and timelines that must be met by OCIO and the agency.\nWhile standards differ among the categories, the standards fall into four common groups:\nchecklist requirements, reporting requirements, timely resolution, and damage containment.\nThus, each incident response can be assessed as \xe2\x80\x9cpass\xe2\x80\x9d or \xe2\x80\x9cfail\xe2\x80\x9d when compared to the criteria\nthat apply specifically to that incident type. This allowed us to combine incident response\nperformance results (pass or fail) for the mix of incident types.\n\nWe selected a simple random sample of 75 incidents for review. The sample size of incidents\nwas based on an error rate of 30 percent and a desired absolute precision of +/-10 percent of the\naudit universe, when reporting a 95 percent confidence level.\n\n\n                                                             AUDIT REPORT 50501-0003-12         49\n\x0cThe resulting sample design and universe counts are summarized in the table below.\n\nTable 1: Incidents universe and sample counts by category\n                                 Incident Type                                  Universe Sample\n USCERT CAT0 - Exercise/Network Defense Testing Count                                 124          10\n USCERT CAT1 - Unauthorized Access Count                                                46           4\n USCERT CAT3 - Malicious Code Count                                                   225          18\n USCERT CAT4 - Improper Usage Count                                                     11           1\n USCERT CAT5 - Scans/Probes/Attempted Access Count                                      19           2\n USCERT CAT6 - Investigation Count                                                      77           7\n USDA CAT8 (USCERT CAT1) - Loss, Theft, Missing Count                                 199          20\n USDA CAT9 - Block List Count                                                         122          13\n                                                                       Total:         823          75\n\nResults:\n\nResults are projected to the audit universe of 823 incidents. Achieved precision, relative to the\nuniverse, is reflected by the confidence interval for a 95 percent confidence level. All\nprojections are made using the normal approximation to the binomial, as reflected in standard\nequations for a stratified sample.81\n\nThe audit team tested a variety of criteria--Did the incident:\n       \xc2\xb7   Include the required PII checklist?\n       \xc2\xb7   Get reported to US-CERT within the required timeframe?\n       \xc2\xb7   Include the proper checklist and was it completed correctly, and; if not complete, did IHD\n           accept the incident?\n       \xc2\xb7   Include a fully completed Incident Identification Form?\n       \xc2\xb7   Include the required incident category checklist?\n       \xc2\xb7   Have a POA&M created if it was open for over 30 days?\n\nWe used a projection for whether all checklists were completed, as required by SOP, and an\noverall projection, which was based on the number of incidents found in our sample with at least\none exception, based on all criteria tested. We are reporting actual findings for the rest of the\ncriteria tested.\n\nProjections are shown in Table 2. Narrative interpretation of the results is presented below the\ntable.\n\n\n81\n     Scheaffer, Mendenhall, Ott, Elementary Survey Sampling, Fourth Edition (Chapter 5), Duxbury Press, c1990.\n\n\n50         AUDIT REPORT 50501-0003-12\n\x0cTable 2: Incident Response and Reporting Projections\n                                                     95% Confidence\n                                                        Interval      Coefficient\n Description of estimate for              Standard                        of        Population   Sample    Achieved\n       tested criteria         Estimate     Error    Lower    Upper    Variation      Size        Size     Precision\n Incidents that were not           340     44.914      251      430         .132          823         75       11%\n reported to US-CERT\n within the required\n timeframe.\n Incidents with at least one       351     45.111      261      441         .128          823         75       11%\n exception in all criteria\n tested\n\n\n\nBased on our sample results:\n    \xc2\xb7    We estimate that 340 incidents (about 41 percent of the audit universe) were not reported\n         to US-CERT within the required timeframe. We are 95 percent confident that between\n         251 (30 percent) and 430 (52 percent) incidents in the audit universe are non-compliant\n         with this criterion.\n    \xc2\xb7    We estimate that 351 incidents (about 43 percent of the audit universe) had at least one\n         exception in the tested criteria. We are 95 percent confident that between\n         261 (32 percent) and 441 (54 percent) incidents in the audit universe were not handled in\n         accordance with Departmental procedures.\n\n\n2. POA&Ms\n\nPOA&Ms (Closed)\n\nUniverse:\n\nThe universe of POA&Ms consisted of 1,106 closed POA&Ms.\n\nSample Design:\n\nWe based our sample size on a 25 percent error rate and desired absolute precision of\n+/-10 percent, at the 95 percent confidence level. With these assumptions, we calculated a\nsample size of 69 POA&Ms for review, and selected them by choosing a simple random sample.\n\nResults:\n\nResults for all criteria are projected to the audit universe of 1,106 closed POA&Ms. Achieved\nprecision, relative to the audit universe, is reported for each criterion. The corresponding lower\nand upper bounds of the 95 percent confidence interval are also included. All projections are\n\n\n\n\n                                                                       AUDIT REPORT 50501-0003-12               51\n\x0cmade using the normal approximation to the binomial, as reflected in standard equations, for a\nsimple random sample.82\n\nProjections are shown in Table 3. Narrative interpretation of the results can be found below the\ntable.\n\nTable 3: POA&M (closed) Projections\n                                                      95% Confidence\n       Description of                                    Interval\n     estimate for tested                                                Coefficient\n          criteria                      Standard                            of        Population                 Achieved\n                           Estimate       Error       Lower    Upper     Variation      Size       Sample Size   Precision\n POA&Ms                          176         47.542       81      271          .270        1106             69        9%\n with remediation\n actions that did not\n sufficiently address\n the identified\n weaknesses.\n\n\nBased on our sample results, we estimate that 176 (about 16 percent of the universe) POA&Ms\nin our universe had remediation actions that did not sufficiently address the identified\nweaknesses. We are 95% confident that between 81 (7 percent) and 271 (25 percent) POA&Ms\nin the audit universe are non-compliant with this criterion.\n\n3. System / Contingency Planning\n\nUniverse:\n\nOur universe consisted of 204 FISMA reportable systems for all agencies within USDA that\nwere reviewed as of August 25, 2012. Each system is to have a contingency plan that contains\nvery specific recovery information for the agency in the event of a disaster.\n\nSample Design:\n\nWe selected a simple random sample of 58 contingency plans for review. For a 95 percent\nconfidence level, this sample size was adequate for a range of potential outcomes: from a\n0 percent exception rate, with a 5 percent upper limit, to a 30 percent error rate, with\n+/-10 percent precision. Our simple random sample included at least one contingency plan from\neach agency, so we did not use stratification.\n\nResults:\n\nThe audit team reviewed the 58 system contingency plans selected in the sample. Results are\nprojected to the audit universe of 204 systems. Achieved precision, relative to the universe, is\nreported for each criterion. The corresponding lower and upper bounds of the 95 percent\n\n82\n     Op. cit., Scheaffer et al. Chapter 4.\n\n\n52          AUDIT REPORT 50501-0003-12\n\x0cconfidence interval are also included. For two criteria, the lower bound was lower than the\nnumber of exceptions observed in the sample. All projections are made using the normal\napproximation to the binomial, as reflected in standard equations, for a simple random sample.83\n\nProjections are shown in the Table 4. Narrative interpretation of the results can be found below\nthe table.\n\nTable 4: System / Contingency Planning Projections\n                                                      95% Confidence\n                                                         Interval            Coefficient\n     Description of estimate              Standard                               of        Population   Sample    Achieved\n       for tested criteria     Estimate     Error    Lower     Upper          Variation       Size       Size     Precision\n Systems that did not                28      7.882       12            44           .280          204        58         8%\n have evidence of CP\n testing.\n Systems that did not                32      8.276       15            48           .261          204        58         8%\n have evidence of\n ongoing testing.\n Systems that did not                11      5.063       3*            21           .480          204        58         5%\n meet the requirements to\n provide an alternate\n processing site.\n* Actual number found.\n\nBased on our sample results:\n       \xc2\xb7     We estimate that 28 (about 14 percent of the universe) systems in our universe did not\n             have evidence of Contingency Plan testing. We are 95 percent confident that between\n             12 (6 percent) and 44 systems (22 percent) are non-compliant with this criterion.\n       \xc2\xb7     We estimate that 32 (about 16 percent of the universe) systems in our universe did not\n             have evidence of ongoing testing. We are 95 percent confident that between\n             15 (7 percent) and 48 systems (24 percent) are non-compliant with this criterion.\n       \xc2\xb7     We estimate that 11 systems (about 5 percent of the universe) in our universe did not\n             meet the requirements to provide an alternate processing site. We are 95 percent\n             confident that between 3 (actual number found, which represents about 1.5 percent of the\n             universe) and 21 systems (10 percent) are non-compliant with this criterion.\n\n\n\n\n83\n     Ibid.\n\n\n                                                                            AUDIT REPORT 50501-0003-12            53\n\x0c4. Non-contractor systems in CSAM\n\nUniverse:\n\nOur universe consisted of 226 non-contractor systems found in CSAM that were operational and\nFISMA-reportable. We excluded systems from two agencies included in the FISMA review \xe2\x80\x93\nthe Agricultural Research Service and the Foreign Agricultural Service, as well as any OIG\nsystems. The two agencies in the FISMA review were excluded because we had already\nreviewed 100 percent of those systems as part of the audit.\n\nSample Design:\n\nWe selected a simple random sample of 40 systems for review. The audit team expected to find\nfew errors. We based the sample size on an expected error rate of 15% and a desired precision\nof +/-10% at the 95% confidence level.\n\nResults:\n\nThe audit team reviewed all 40 systems selected in the sample and found none that were\nmisidentified. Based on this result, we are 95% confident that less than 7% of the systems in our\naudit universe might be misidentified.\n\nAuditors reviewed documentation and found 10 non-contractor systems with insufficient\ninterconnection documentation. Based on this sample result, we project that 57 systems in the\nuniverse of 226 have this issue. We are 95% confident that between 28 and 85 non-contractor\nsystems may have insufficient documentation. The table below shows the parameters for this\nprojection:\n\n                                             95% Confidence\n   Description of                               Interval\n estimate for tested                                           Coefficient\n      criteria                    Standard                         of        Population                 Achieved\n                       Estimate     Error    Lower    Upper     Variation      Size       Sample Size   Precision\nSystems with                 57     14.216       28       85          .252          226            40       13%\ninsufficient\ninterconnection\ndocumentation\n\n\n\n\n54      AUDIT REPORT 50501-0003-12\n\x0cTo learn more about OIG, visit our website at\nwww.usda.gov/oig/index.htm\n\nHow To Report Suspected Wrongdoing in USDA Programs\nFraud, Waste, and Abuse\nEmail: usda.hotline@oig.usda.gov\nPhone: 800-424-9121 Fax: 202-690-2474\nBribes or Gratuities:\n202-720-7257 (24 hours a day)\n\n\n\n\nThe U.S. Department of Agriculture (USDA) prohibits discrimination in all of its programs and activities on the basis of race, color, national origin,\nage, disability, and where applicable, sex (including gender identity and expression), marital status, familial status, parental status, religion, sexual\norientation, political beliefs, genetic information, reprisal, or because all or part of an individual\xe2\x80\x99s income is derived from any public assistance program.\n(Not all prohibited bases apply to all programs.) Persons with disabilities who require alternative means for communication of program information\n(Braille, large print, audiotape, etc.) should contact USDA\xe2\x80\x99s TARGET Center at (202) 720-2600 (voice and TDD). USDA is an equal opportunity provider\nand employer.\n\x0c'